Hi Glenn,
thank you for looking at these changes.
Just a small nit, not only AI (in default case), but other installers as
well (GUI, text)
create initial user with gid 10 (staff), so the behavior is consistent
across install
technologies.
Though only AI provides for customizing gid via System Configuration
manifest.
Jan
On 04/ 6/11 01:51 AM, Glenn Faden wrote:
The default gid value that is used in the useradd(1M) command is
currently 1 (other), but the default in the auto-install manifest is
10 (staff). These two need to match so that the initial user can
create additional users with the default profile which is assigned to
the initial user, System Administrator. The recently approved case
group*(1M) updates, PSARC/2011/082 restricts a user with just this set
of profiles to only create new accounts that have a primary group of
which the initial user is a member.
(I'm assuming that the initial user is not assuming the root role).
So, I would like the RBAC team to change the default gid to 10, not 1,
as part of the current implementation.
Lokanath, can you include this in your pending integration? Or should
we change auto-install to match the existing defaults?
Here are the initial user defaults:
useradd:
/usr/sadm/defadduser
auto-install
http://cr.opensolaris.org/~dambi/cr-7012385/usr/src/cmd/auto-install/default.xml.sdiff.html
--Glenn
On 4/4/11 5:14 AM, Jan Damborsky wrote:
Hi Ginnie,
could I please ask you to review changes for unconfiguration
of user and root account and verify that consumed 'unconfig'
interfaces are compliant with what unconfiguration framework
is going to provide ?
Webrev:
http://cr.opensolaris.org/~dambi/cr-7012385/
While I was in that code, I fixed couple of other issues -
here is the complete list of all CRs addressed by the webrev above:
7012385 Provide for unconfiguration of root password and user account
7019611 PSARC/2010/457 went in, home ZFS dataset no longer needs
special treatment in NGZ
7031709 svc-system-config merge turds pushed with 1028:2757a30c0d93
should be cleaned up
7026520 The initial user after install should have the "System
Administrator" profile
As usual, comments from other people are welcome :-)
Code review comments are to be accepted until COB Friday 4/8.
Thank you very much,
Jan
Tests accomplished:
[1] Distro Constructor
* install ISO images (AI, text, GUI) built
with modified DC
[2] Fresh Installation
* install ISO images (AI, text, GUI) built
* Interactive (GUI, text) and Automated Installation tested
* On installed system it was verified that initial
user account has 'System Administrator' rights profile assigned
[3] zones
* non-global zone (NGZ) 'sc' was freshly installed with modified
install bits
* SCI tool was used to configure installed zone 'sc' -
initial user account was created
* it was verified that user's home directory (along with underlying
ZFS dataset)
was correctly created
[4] user/root unconfiguration
* NGZ 'sc' was booted into milestone 'none' - from global zone:
# zoneadm -z sc boot -- -m milestone=none
* user/root account was unconfigured from zone's console:
# zlogin -C sc
Enter user name for system maintenance (control-d to bypass): root
Enter root password (control-d to bypass): ****
root@sc:~# /lib/svc/method/svc-system-config
Usage: /lib/svc/method/svc-system-config { start | unconfigure [-d] }
root@sc:~# SMF_FMRI=svc:/system/config:default
/lib/svc/method/svc-system-config unconfigure -d
Removing initial user account from the system.
Calling 'userdel -S files -r dambi' to remove user account <dambi>
and home directory.
UX: userdel: ERROR: Cannot resolve hostname - sc.
User account successfully removed.
Reverting configuration of root account into pristine state.
passwd: password information changed for root
Root is currently a role, reverting it to normal account.
UX: rolemod: root is currently logged in, some changes may not take
effect until next login.
Root account successfully unconfigured.
root@sc:~# reboot
[NOTICE: Zone rebooting]
SunOS Release 5.11 Version snv_162 64-bit
Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights
reserved.
Hostname: sc-dambi-sci
sc-dambi-sci console login: root
Password: Apr 4 10:58:08 sc-dambi-sci login: pam_authtok_get: login:
empty password not allowed for root from localhost.
Known issues:
7030192 'userdel(1m) -r' does not remove ZFS dataset unless that
dataset is mounted
7033510 UX: useradd: ERROR in logs when svc-system-config is ran
before name resolving works
--
ORACLE ®
Glenn Faden | Senior Principal Software Engineer
Phone: +1 650 786 4003 | Mobile: +1 415 637 8181
Oracle Solaris Security, Solaris Core OS Technology Engineering
_______________________________________________
caiman-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
