[Freeipa-devel] command-line arguments
Simo Sorce
ssorce at redhat.com
Fri Sep 7 16:51:36 UTC 2007
On Fri, 2007-09-07 at 12:45 -0400, Andrew C. Dingman wrote:
> On Fri, 2007-09-07 at 11:57 -0400, Simo Sorce wrote:
> > On Fri, 2007-09-07 at 11:42 -0400, Andrew C. Dingman wrote:
> > > On Fri, 2007-09-07 at 11:27 -0400, Simo Sorce wrote:
> > Not all systems let you login without the root password even in
> > single-user mode.
>
> I don't know of a Linux distribution where I can't get around the
> password for maintenance, but I'll have to take your word for it on
> other systems.
IIRC Debian always ask you for the root password, sure you can always
boot with a rescue disk, but that's cheating :)
> > > > Also it make it impossible for users to join the machine and keep
> > > > themselves control on it. In some enterprises that is not wanted but in
> > > > many R&D departments that's a necessity.
> > >
> > > Sudo solves many problems, including this one. In fact, I run a number
> > > of my machines with no root password and all administration done through
> > > sudo. The FDA auditors loved that.
> >
> > I love sudo as well, we are plannig to support it asap with the work on
> > policies.
>
> In that case, I think the argument for considering root in IPA is much
> weaker. Sudo and no root password at all is a better solution. If you
> support sudo through IPA, then any admin who wants to can just remove
> the root password from the local system. I had assumed that sudo support
> would be a v2 goal.
yeah sudo will be v2, but nobody will prevent yo9u to use sudo with
IPAv1, its just that you will have to replicate the configuration on
multiple machines on your own.
Simo.
More information about the Freeipa-devel
mailing list