Hi,
What is decision on this issue? Can we handle 4885 and 1436 as
separate issues and allow 1436 to be integrated? or do we need to fix
4885 first?
Back to 1436, we set PASSREQ=YES in /etc/default/login as default
setting in opensolaris. To allow null password for root, does the
PASSREQ to be changed to NO? Is there any security issues with turning
the falg to NO?
Thanks,
Sundar
Dave Miner wrote:
> Darren J Moffat wrote:
>> Dave Miner wrote:
>>> Darren J Moffat wrote:
>>>> Sundar Yamunachari wrote:
>>>>> Darren J Moffat wrote:
>>>>>> Sundar Yamunachari wrote:
>>> ...
>>>>>>> - Does it make sense to force the administrative user to
>>>>>>> setup a password for root in order to become a super user on the
>>>>>>> installed system?
>>>>>> I'm not sure we are ready to do this yet I think 4885 needs to be
>>>>>> resolved first.
>>>>> Do you suggest holding off fixing 1436 till we get 4885 resolved?
>>>> Given that 1436 assumes the current situation of abuse of "Primary
>>>> Administrator" I think we should resolve 4885 first. Both should
>>>> ideally be resolved before 2010.03 ships.
>>>>
>>> I believe that the proposed solution to 1436 depends only on the
>>> root role being assigned to the user by default, which appears not
>>> to be at issue. Switching from assigning the Primary Adminstrator
>>> profile to using sudo is worthwhile and we'll do it at some point
>>> (or would take contributions that do it...), but seems orthogonal to
>>> the question of the root password. Is there some other issue here?
>>
>> Yes, at the very least by having "Primary Administrator" the initial
>> user also gets the solaris.system.maintenance which would allow them
>> to use their username and password to enter single user mode
>> (sulogin(1M)), which you can't do as root if root is a role.
>>
>
> OK, so when we switch to sudo in 4885 then we also assign that
> authorization. Definitely need the user to be able to do that.
>
>> I think we need to ensure this is looked at as a whole not piece meal.
>>
>
> Looking at is one thing, requiring all the changes at once is another.
> Have we not already agreed that sudo should be the general resolution
> to 4885? Are there other authorizations that need to be included when
> we make that change?
>
> Dave
