Hi Martin,
thank you very much for looking into this,
please see my response in line.
Jan
On 03/17/11 05:25 PM, Martin Widjaja wrote:
Hi Jan,
Looks good! I have 2 questions:
6.2 root account
----------------
For root account, smf unconfigure method will
* remove password hash from shadow(4) file
(replace it with empty string)
What is the effect of this. Would this allow root to not login at all,
or would it let root login without passwd?
Both, depending on which milestone you are booted in -
please see my response to Randall.
Both are bad I guess, unless the system knows to reset the passwd or
re-prompt the passwd securely (console?).
The intent here is to bring the system into pristine state e.g.
for purposes of removing credentials in case the system is shipped
in form of pre-installed image.
In most cases, 'unconfigured' state will be an transition phase -
e.g. when cloned zone is being reconfigured or when pre-install image
is constructed.
In those cases it is assumed that configuration step is to be carried
out before the system is finally deployed. For instance configuration
could be finalized by means of SCI tool during subsequent boot
of such system.
* change root to normal account if it was configured
asa role.
Does this mean that all the user accounts' root role would also be
removed?
No, other than initial user account will remain untouched.
I have tried and changing root to normal account via 'rolemod -K
type=normal root'
does not have an effect of removing root role from other accounts,
but those other accounts would be no longer able to assume root role.
If so, it might be good to log this clearly since this might affect
some users who have cron jobs, etc. using the role.
That sounds reasonable - I will add that to the design spec.
_______________________________________________
caiman-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
