On 03/23/10 04:04 PM, Dave Miner wrote: > On 03/23/10 04:09 AM, Jan Damborsky wrote: >> On 03/22/10 05:49 PM, John Plocher wrote: >>> On Mon, Mar 22, 2010 at 6:45 AM, Jan >>> Damborsky<Jan.Damborsky at sun.com> wrote: >>>> We could definitely support 'expire' property for root account as >>>> well - >>>> it would behave in the same way as for user account. >>>> >>>> I am not sure what the default behavior (specified in default.xml) >>>> should be for Automated Installer - do we want to force the admin >>>> to change the root password upon first use ? >>> >>> In a system where the user never logs in directly as root, but has an >>> admin account that uses pfexec, when would "first use" of the root >>> account after a new install actually happen? Would it ever happen? >> >> Hi John, >> >> It would happen in default case, since then according to PSARC/2009/652, >> user would not be assigned with any execution profile. >> Then if one wanted to carry out admin tasks, other mechanism >> than pfexec would need to be used - in case of su(1M), user would >> be prompted to change root password upon the first use. >> >> I can see that might be cumbersome. Maybe we should consider to >> put other default values into SC manifest with the goal to reflect >> the most common way admin configures admin account which might be >> different comparing to how GUI creates user account. >> > > The reason the root account password is pre-expired in the GUI install > case is because we never ask the user to explicitly set it. With AI, > the user will be explicitly setting it by way of the manifest; I can > see offering the option to have it pre-expired, but I don't think it's > necessary to make that the default.
Dave, thank you for pointing this out. I hadn't realized that. Jan
