Rights in Oracle Solaris include rights profiles, authorizations, and privileges. Oracle Solaris offers several ways to configure administrative rights on a system.
The following list is ordered from most secure to the less secure traditional superuser model.
Divide administrative tasks among several trusted users, each of whom has limited rights. This approach is the Oracle Solaris rights model.
For information about how to follow this approach, see Following Your Chosen Rights Model.
For a discussion of the benefits of this approach, see Chapter 1, About Using Rights to Control Users and Processes.
Use the default rights configuration. This approach uses the rights model but does not customize it to your site.
By default, the initial user has some administrative rights and can assume the root role. Optionally, the root role could assign the root role to another trusted user. For greater security, the root role would enable the auditing of administrative commands.
Tasks that are useful to administrators who use this model are the following:
Administrators who are familiar with the sudo command can configure sudo and use it. Optionally, they can configure the /etc/sudoers file to enable sudo users to run administrative commands without reauthentication for a set period of time.
Tasks that are useful to sudo users are the following:
Caching Authentication – Example 5–2
The sudo command is not as hooked into the kernel as rights profiles are. The command runs as root with all privileges so that it can grant the rights that are specified for each program in the /etc/sudoers file for the current user. Although sudo cannot specify the attributes of the program's subsequent child processes, it can block their execution. The Oracle Solaris version of sudo removes the PRIV_PROC_EXEC privilege from the process. For more information, see the Oracle Solaris version of the sudo (1M) man page.
Use the superuser model by changing the root role into a user.
Administrators who use the traditional UNIX model must complete How to Change the root Role Into a User. Optionally, the root user can configure auditing.