By default, root is a role in Oracle Solaris. You have the option to change it to a user, change it back in to a role, or remove it from use.
You must change root to a user if you are using Oracle Enterprise Manager or are following the traditional superuser model of administration rather than the rights model. For background, see Deciding Which Rights Model to Use for Administration.
If you are following the rights model, you might change root to a user when decommissioning a system that has been removed from the network. In this scenario, logging in to the system as root simplifies the cleanup.
At some sites, root is not a legitimate account on production systems. To remove root from use, see Example 5–13.
This procedure is required on systems where root must be able to log in directly to the system.
Before You Begin
You must assume the root role.
For example, remove the role assignment from two users.
% su - Password: xxxxxxxx # roles jdoe root # roles kdoe root # roles ldoe secadmin # usermod -R "" jdoe # usermod -R "" kdoe #
# rolemod -K type=normal root
Users who are currently in the root role remain so, Other users who have root access can su to root or log in to the system as the root user.
You can use one of the following commands.
# getent user_attr root root::::auths=solaris.*;profiles=All;audit_flags=lo\:no;lock_after_retries=no; min_label=admin_low;clearance=admin_high
If the type keyword is missing in the output or is equal to normal, the account is not a role.
# userattr type root
If the output is empty or lists normal, the account is not a role.
In this example, the root user turns the root user back into a role.
First, the root user changes the root account into a role and verifies the change.
# usermod -K type=role root # getent user_attr root root::::type=role...
Then, root assigns the root role to a local user.
# usermod -R root jdoeExample 5-13 Preventing the root Role From Being Used to Maintain a System
In this example, site security policy requires that the root account be prevented from maintaining the system. The administrator has created and tested the roles which maintain the system. These roles include every security profile and the System Administrator rights profile. A trusted user has been assigned a role that can restore a backup. No role can change the audit flags for a user, role, or a rights profile or change the password of a role.
To prevent the root account from being used to maintain the system, the security administrator removes the root role assignment. Because the root account must be able to log in to the system in single-user mode, the account retains a password.
# usermod -K roles= jdoe # userattr roles jdoe
Troubleshooting
In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system.
If you do not have a local account that can assume the root role by performing the following steps:
As root, log in to the system in single-user mode, create a local user account and password.
Assign the root role to the new account.
Log in as the new user and assume the root role.