On Tue, 2014-12-09 at 08:38 -0500, Bastien Nocera wrote:
----- Original Message -----
>
> On Tue, 2014-12-09 at 05:51 -0500, Bastien Nocera wrote:
> > A number of OSes default to having the first created user be the
> > "Administrator", including OSX, Windows and, closer to our usage,
> > Ubuntu.
> >
> > I don't think that defaulting to the first user being an admin is a
> > problem for people installing multiple machines, as this would be
> > something they would look for. I'd much rather force having an admin on
> > the system and get rid of the root user as something you can log in as.
>
> Well, that works if-and-only-if you are dealing with a predominately
> single-user machine. In the case where you are managing users in a
> FreeIPA or Active Directory domain, in many cases you won't really have
> a "first user" on the system.
Even network-enabled logins have local admin users, such as the well-known
"toor".
Having a local admin that's not root would certainly be beneficial.
> Now, an argument can be made for requiring that the domain policy is set
> up to have appropriate admin privileges for certain users in the domain,
> but that doesn't help if there's a bug in network connectivity or SSSD
> that prevents that admin from being able to log in to fix things.
>
> So I think a strong need remains for having a real root account on
> systems that are domain-enabled.
So you don't want a real root account, you want a local admin with rights
similar to root.
Well, not *necessarily*. First, a local admin account that isn't UID 0
could end up conflicting with a domain account, which is never good.
UID/GID 0 is the only specially-exempted pair from SSSD (so it will
never under any circumstances interfere with it). If we wanted to create
a account with rights similar to root, we might need to consider
reserving another special ID for that user.
But I suppose we're well into "if it walks like a duck, quacks like a
duck and looks like a duck, it's probably functionally equivalent to the
root user" here. Current technical considerations lead to a preference
towards using UID/GID 0 for this purpose (changing the name of root
would be entertaining...), but hey, "it's all code". Nothing is
permanently carved into a marble tablet.