Making Root a Role

This procedure shows how to change root from a user to a role within a local scope. Changing root to a role prevents users from logging in to that server directly as root. Users must first log in as themselves so their UIDs are available for auditing.

If you make root a role without assigning it to a valid user or without a currently existing role equivalent to root, no one can become root.

How to Make Root a Role

1. Log in to the target server.

2. Become superuser.

3. Edit the /etc/user_attr file.

   Here is an excerpt from a typical user_attr file.

   root::::type=normal;auths=solaris.*,solaris.grant;profiles=All johnDoe::::type=normal

4. Check that your name is in the file.

5. Add root to the roles that are assigned to your record.

   Assign the root role to any applicable users. If you intend to use primaryadmin as your most powerful role, you do not have to assign root to any users.

   johnDoe::::type=normal;roles=root

6. Go to the root record in the file and change type=normal to type=root.

   root::::type=role;auths=solaris.*,solaris.grant;profiles=All

7. Save the file.