Based on the comments of others I think there is some confusion as to what this case is actually proposing the notes part is supporting information not actual change. I think it is simply this:
Instead of being asked for the root password when sulogin runs it now asks for a username and password. If the username provided is not root then the user must have been granted the solaris.system.maintenance authorisations. However it will still be "root" that is logged in via sulogin not the user. In a default configuration with the current Solaris legacy installer the only change is that the word "root" needs to be entered before the root password (because root has all solaris.* authorisations explicitly granted in root's user_attr(4) entry). This case basically just names a new authorisation that can be given to users. It doesn't change the behaviour of the root account, it doesn't require that the installer or sysidroot (or any other part of sysid) be changed. The case *suggests* a possible future case for a possible Major release binding where this new policy is used as part of a bigger future change to restricted root from logins completely. The one part of the notes that I think is critical is "This proposal does not ensure that the authenticated username is not a role." In particular it ensures that this case is compatible with the legacy Solaris installer and the root as a role behaviour that OpenSolaris 2008.05 (Caiman) uses when a local account *is* created at install time. Is that a correct interpretation ? -- Darren J Moffat
