On 03/ 2/10 12:38 PM, Matt Keenan wrote: > On 03/ 2/10 05:01 PM, Dave Miner wrote: >> On 03/ 2/10 11:51 AM, Keith Mitchell wrote: >>> Hi Matt, >>> >>> Since the liveCD is intended to mimic the installed environment, would >>> it not make sense to remove the Primary Administrator role from the >>> 'jack' user delivered by SUNWslim-utils (instead of changing line 514; >>> line 558 would still need to change)? That way the default login >>> functions identically to what the user will have after the installation. >>> >>> Also, I think a significant amount of documentation (in install, pkg, >>> and elsewhere) exists that calls for running "pfexec<cmd>". I think >>> this change renders that documentation invalid, are there bugs filed to >>> update these docs appropriately? Error messages as well sometimes >>> recommend running the command again with pfexec, and would need to be >>> updated, unless I misunderstand the implications of this change. >>> >> >> I'd suggest we defer this particular change, as the switch to sudo was >> (somewhat to my surprise, though we'd been talking about it for way over >> a year) included in PSARC 2010/067 which is under discussion right now. > > No problem. > > Based on this proposal, will we (slim_install) be required to implement > addition of initial user to /etc/sudoers, as well as removal of Primary > Administrator profile ? > > If so I can at least prepare a webrev that does this, and if/when this ARC > case > gets approved we will be ready to roll with the change. >
I'd recommend waiting, as there are multiple potential options depending on how the security team states their plans to deal with RBAC/sudo integration. Dave > cheers > > Matt > >> Dave >> >>> - Keith >>> >>> On 03/ 2/10 05:24 AM, Matt Keenan wrote: >>>> Code review please for following bug : >>>> 4885 - User created by installer gets unsafe profile "Primary >>>> Administrator" >>>> http://defect.opensolaris.org/bz/show_bug.cgi?id=4885 >>>> >>>> Webrev: >>>> http://cr.opensolaris.org/~mattman/bug-4885/ >>>> >>>> Code change is relatively trivial simply amending ict.c to sed out >>>> "profile=Primary Administrator," from /etc/user_attr for initial user. >>>> >>>> This is being implemented as a request during review of ARC case : >>>> PSARC/2007/284 >>>> >>>> cheers >>>> >>>> Matt >>>> _______________________________________________ >>>> caiman-discuss mailing list >>>> caiman-discuss at opensolaris.org >>>> http://mail.opensolaris.org/mailman/listinfo/caiman-discuss >>> _______________________________________________ >>> caiman-discuss mailing list >>> caiman-discuss at opensolaris.org >>> http://mail.opensolaris.org/mailman/listinfo/caiman-discuss >> >
