Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Changing Whether root Is a User or a Role

By default, root is a role in Oracle Solaris. You have the option to change it to a user, change it back in to a role, or remove it from use.

You must change root to a user if you are using Oracle Enterprise Manager or are following the traditional superuser model of administration rather than the rights model. For background, see Deciding Which Rights Model to Use for Administration.

If you are following the rights model, you might change root to a user when decommissioning a system that has been removed from the network. In this scenario, logging in to the system as root simplifies the cleanup.


Note -  If you administer remotely with the root role, see How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.4 for secure remote login instructions.

At some sites, root is not a legitimate account on production systems. To remove root from use, see Example 55, Preventing the root Role From Being Used to Maintain a System.

How to Change the root Role Into a User

This procedure is required on systems where root must be able to log in directly to the system.

Before You Begin

You must assume the root role.

  1. Remove the root role assignment from local users.

    For example, remove the role assignment from two users.

    $ su -
    Password: xxxxxxxx
    # roles jdoe
    root
    # roles kdoe
    root
    # roles ldoe
    secadmin
    # usermod -R "" jdoe
    # usermod -R "" kdoe
    #
  2. Change the root role into a user.
    # rolemod -K type=normal root

    Users who are currently in the root role remain so, Other users who have root access can su to root or log in to the system as the root user.

  3. Verify the change.

    You can use one of the following commands.

    • Examine the user_attr entry for root.
      # getent user_attr root
      root::::auths=solaris.*;profiles=All;audit_flags=lo\:no;lock_after_retries=no;
      min_label=admin_low;clearance=admin_high

      If the type keyword is missing in the output or is equal to normal, the account is not a role.

    • View the output from the userattr command.
      # userattr type root

      If the output is empty or lists normal, the account is not a role.

Example 54  Changing the root User Into the root Role

In this example, the root user turns the root user back into a role.

First, the root user changes the root account into a role and verifies the change.

# usermod -K type=role root
# getent user_attr root
root::::type=role...

Then, root assigns the root role to a local user.

# usermod -R root jdoe
Example 55  Preventing the root Role From Being Used to Maintain a System

In this example, site security policy requires that the root account be prevented from maintaining the system. The administrator has created and tested the roles which maintain the system. These roles include every security profile and the System Administrator rights profile. A trusted user has been assigned a role that can restore a backup. No role can change the audit flags for a user, role, or a rights profile or change the password of a role.

To prevent the root account from being used to maintain the system, the security administrator removes the root role assignment. Because the root account must be able to log in to the system in single-user mode, the account retains a password.

# usermod -K roles= jdoe
# userattr roles jdoe

Troubleshooting

In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system.

    If you do not have a local account that can assume the root role by performing the following steps:

  • As root, log in to the system in single-user mode, create a local user account and password.

  • Assign the root role to the new account.

  • Log in as the new user and assume the root role.