On 03/23/10 04:09 AM, Jan Damborsky wrote: > On 03/22/10 05:49 PM, John Plocher wrote: >> On Mon, Mar 22, 2010 at 6:45 AM, Jan Damborsky<Jan.Damborsky at sun.com> >> wrote: >>> We could definitely support 'expire' property for root account as well - >>> it would behave in the same way as for user account. >>> >>> I am not sure what the default behavior (specified in default.xml) >>> should be for Automated Installer - do we want to force the admin >>> to change the root password upon first use ? >> >> In a system where the user never logs in directly as root, but has an >> admin account that uses pfexec, when would "first use" of the root >> account after a new install actually happen? Would it ever happen? > > Hi John, > > It would happen in default case, since then according to PSARC/2009/652, > user would not be assigned with any execution profile. > Then if one wanted to carry out admin tasks, other mechanism > than pfexec would need to be used - in case of su(1M), user would > be prompted to change root password upon the first use. > > I can see that might be cumbersome. Maybe we should consider to > put other default values into SC manifest with the goal to reflect > the most common way admin configures admin account which might be > different comparing to how GUI creates user account. >
The reason the root account password is pre-expired in the GUI install case is because we never ask the user to explicitly set it. With AI, the user will be explicitly setting it by way of the manifest; I can see offering the option to have it pre-expired, but I don't think it's necessary to make that the default. Dave
