Jason: > Two questions from the peanut gallery, inline... > > On Mon, Aug 17, 2009 at 8:20 PM, Brian Cameron<Brian.Cameron at sun.com> > wrote: >> - There are many concerns about the Face Browser and whether it should >> be turned on by default. >> >> - Glenn Faden suggested it not be the default because it is a >> potential security vulnerability to expose usernames before >> authentication. >> >> Proposed Solution: >> >> Turn off the Face Browser by default. This will make OpenSolaris >> different than everybody else, but our users love us because we are >> such curmudgeons about these things, I guess. > > My apologies if I missed this in the prior discussion, but how will > this setting be managed? Specifically, can it be controlled via SMF? > If my understanding is correct, having the ability to manage the > behavior via SMF would tie in nicely to some of the automated > installation work that is going on. If not, how would one control > this behavior during an automated install?
Making this work via a SMF properly seems a good idea to me. Especially if this is the sort of setting people would want to change during an automated install. Is this the only configuration option that needs such management? Note that GDM has GUI and daemon configuration. Some daemon configuration requires restarting GDM for a change to take effect. So it might be hard to make this work via SMF property for GDM server configuration options. However the Face Browser is a GDM greeter GUI configuration option, and easier to update on the fly. Without such a property, it would be necessary to set a GConf setting for the GDM user. This could be done by running the gconftool-2 command with the right arguments to set the desired configuration key as the "gdm" user. >> - Glenn Faden had a concern that the "Shutdown" and "Reboot" buttons >> should not appear in the GDM login GUI by default. This is not a >> problem since they only appear if the "gdm" user has the >> solaris.system.shutdown authority, which it does not have by default. > > I could see this as being useful (though I agree not the default). > Will this be documented anywhere (outside of this case) for those that > might wish to enable it? How about the GDM docs? http://library.gnome.org/admin/gdm/2.27/security.html.en#rbac These docs will match the docs that are installed on the local filesystem with the GDM packages. Brian
