Re: PSARC/2010/165 - OpenSolaris Text Installer

Thu, 10 Jun 2010 16:18:40 -0700 

All,

So Alan and I had an off alias conversation about his security question.
I pointed out that the questionnaire talks about the security for the project: 


    The creation of a user account is optional. If a user account is 
created,
    root is a role (not allowed to login). If the user account is not 
created,

    then a root login is allowed. The root password and the user account

    password are not required. However, if not provided, the user must 
respond

    to a confirmation dialog warning that the system is unsecured.

Alan pointed out that this says nothing about the user account being added
to /etc/user_attr with the flags "role=root" or whether it continues the
LiveCD/GUI installer "bug" of also adding "profiles=Primary Administrator".
Alan further stated that this is something that needs to be clearly
documented for the many admins unfamiliar with rbac, that this user
account isn't just the same as a default new user, but has this role, and
if they delete it or create new users what to do.

The project team confirmed the "profiles=Primary Administrator" issue as

well.   They further stated that even though the Text Installer has help 
screens
this is nuance is not documented but believes that it would be something 
that

would be helpful.

We need further discussion on this topic.

Thanks,

John


On 06/ 9/10 03:45 PM, Alan Coopersmith wrote:

Sue Sohn wrote:

   

On 06/09/10 15:04, Alan Coopersmith wrote:

     

Sue Sohn wrote:

       

On 06/09/10 13:38, Alan Coopersmith wrote:


         

Is the user account created during the install granted any special
privileges or roles?

           

There are no special privileges, it is similar to the user account
created by the livecd's gui installer.

         

The LiveCD GUI installer currently does assign extra priviledges to the
account created though - it puts an entry in /etc/user_attr allowing that
user to run commands as root via pfexec.


       

For the user account, root is a role. I thought you meant something
beyond that since root being a role was mentioned in the materials.

     

Root being a role is why I suspected the user had more than basic privileges,
but that wasn't called out in the case materials.


   


_______________________________________________
opensolaris-arc mailing list
[email protected]






















					Reply via email to