On Mon, Mar 20, 2023 at 4:11 AM Felix Miata mrmazda@earthlink.net wrote:
If the superuser can't do something, how can a mere mortal user be expected to do same? When the superuser determines *everything* works as expected is time enough to create the first regular user.
This can actually happen under SELinux (and probably AppArmor). Under SELinux, root is just another account to contain. It is possible to deny root access to something, but provide access to unprivileged users. I don't think I've ever come across the use case, though.
A similar constraint on root is with databases. Databases use their own authentication systems, and root would just be another user if added to the database. You would need to do something special to give root privileges. (Modulo domain sockets that use an auth_plugin for authentication).
Jeff