On Mon, Mar 20, 2023 at 4:11 AM Felix Miata <mrmazda(a)earthlink.net> wrote:
If the superuser can't do something, how can a mere mortal user be expected to do
same? When the superuser determines *everything* works as expected is time enough
to create the first regular user.
This can actually happen under SELinux (and probably AppArmor). Under
SELinux, root is just another account to contain. It is possible to
deny root access to something, but provide access to unprivileged
users. I don't think I've ever come across the use case, though.
A similar constraint on root is with databases. Databases use their
own authentication systems, and root would just be another user if
added to the database. You would need to do something special to give
root privileges. (Modulo domain sockets that use an auth_plugin for
authentication).
Jeff