The default gid value that is used in the useradd(1M) command is
currently 1 (other), but the default in the auto-install manifest is
10 (staff). These two need to match so that the initial user can
create additional users with the default profile which is assigned
to the initial user, System Administrator. The recently approved
case group*(1M) updates, PSARC/2011/082 restricts a user with just
this set of profiles to only create new accounts that have a primary
group of which the initial user is a member.
(I'm assuming that the initial user is not assuming the root role).
So, I would like the RBAC team to change the default gid to 10, not
1, as part of the current implementation.
Lokanath, can you include this in your pending integration? Or
should we change auto-install to match the existing defaults?
Here are the initial user defaults:
useradd:
/usr/sadm/defadduser
auto-install
http://cr.opensolaris.org/~dambi/cr-7012385/usr/src/cmd/auto-install/default.xml.sdiff.html
--Glenn
On 4/4/11 5:14 AM, Jan Damborsky wrote:
Hi
Ginnie,
could I please ask you to review changes for unconfiguration
of user and root account and verify that consumed 'unconfig'
interfaces are compliant with what unconfiguration framework
is going to provide ?
Webrev:
http://cr.opensolaris.org/~dambi/cr-7012385/
While I was in that code, I fixed couple of other issues -
here is the complete list of all CRs addressed by the webrev
above:
7012385 Provide for unconfiguration of root password and user
account
7019611 PSARC/2010/457 went in, home ZFS dataset no longer needs
special treatment in NGZ
7031709 svc-system-config merge turds pushed with
1028:2757a30c0d93 should be cleaned up
7026520 The initial user after install should have the "System
Administrator" profile
As usual, comments from other people are welcome :-)
Code review comments are to be accepted until COB Friday 4/8.
Thank you very much,
Jan
Tests accomplished:
[1] Distro Constructor
* install ISO images (AI, text, GUI) built
with modified DC
[2] Fresh Installation
* install ISO images (AI, text, GUI) built
* Interactive (GUI, text) and Automated Installation tested
* On installed system it was verified that initial
user account has 'System Administrator' rights profile assigned
[3] zones
* non-global zone (NGZ) 'sc' was freshly installed with modified
install bits
* SCI tool was used to configure installed zone 'sc' -
initial user account was created
* it was verified that user's home directory (along with
underlying ZFS dataset)
was correctly created
[4] user/root unconfiguration
* NGZ 'sc' was booted into milestone 'none' - from global zone:
# zoneadm -z sc boot -- -m milestone=none
* user/root account was unconfigured from zone's console:
# zlogin -C sc
Enter user name for system maintenance (control-d to bypass): root
Enter root password (control-d to bypass): ****
root@sc:~# /lib/svc/method/svc-system-config
Usage: /lib/svc/method/svc-system-config { start | unconfigure
[-d] }
root@sc:~# SMF_FMRI=svc:/system/config:default
/lib/svc/method/svc-system-config unconfigure -d
Removing initial user account from the system.
Calling 'userdel -S files -r dambi' to remove user account
<dambi> and home directory.
UX: userdel: ERROR: Cannot resolve hostname - sc.
User account successfully removed.
Reverting configuration of root account into pristine state.
passwd: password information changed for root
Root is currently a role, reverting it to normal account.
UX: rolemod: root is currently logged in, some changes may not
take effect until next login.
Root account successfully unconfigured.
root@sc:~# reboot
[NOTICE: Zone rebooting]
SunOS Release 5.11 Version snv_162 64-bit
Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights
reserved.
Hostname: sc-dambi-sci
sc-dambi-sci console login: root
Password: Apr 4 10:58:08 sc-dambi-sci login: pam_authtok_get:
login: empty password not allowed for root from localhost.
Known issues:
7030192 'userdel(1m) -r' does not remove ZFS dataset unless that
dataset is mounted
7033510 UX: useradd: ERROR in logs when svc-system-config is ran
before name resolving works
--
![ORACLE
®]()
Glenn
Faden |
Senior Principal Software Engineer
Phone:
+1 650 786 4003 | Mobile: +1 415 637 8181
Oracle
Solaris Security, Solaris Core OS Technology Engineering
|
_______________________________________________
caiman-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
