PASSREQ, PSARC/2007/700 and roles

Fri, 6 Jun 2008 22:02:05 +0100 

I've been experimenting on Solaris 10 with roles that have no password
(i.e., have had "passwd -d" run against them).

Despite inital discomfort, this seems to have little to no downsides,
allowing me to use roles just as I expect to be able to but without the
overhead of having to exchange/synchronise passwords amongst trusted
users.

However, I'm unable to do this on SXCE.  Attempts to su to a role with
no password give the error message "Password for user 'gfish' has
expired".

This is because PASSREQ=YES in /etc/default/login is enforced in Nevada.
It looks like this is PSARC/2007/700, but I'm unable to find the commit
in the hg logs - as far as I can tell, the OpenSolaris repository has
always contained this enforcement.  Also, the manpage changes proposed
in that case have not been made (this led me to spend quite some time
tracking down why SXCE was telling me the password had expired when
aging wasn't enabled).

Since PSARC/2007/700 requested Patch binding and was approved, I'm now
worried that at some random point in the future a patch will come which
will break my set ups.  Obviously, I can set PASSREQ to NO, but that
would allow all users to have null passwords and I really am only
comfortable with this situation for roles.

So I have some questions:

a) Did PSARC/2007/700 integrate somewhere?
b) If so, why didn't the manpage change integrate?
c) Is having passwordless roles any less stupid than passwordless users?
d) If I proposed a change for adding PASSREQROLES or similar to allow
    the option to be restricted to roles, would that fly at all?
e) Are there plans to putback PSARC/2007/700 to Solaris 10?
f) Is there some way to stop that happening since I can show a
    regression? (not saying that I want to, just that I've got used
    to this working)
g) The error message from su is wrong; should I raise a bug?

And not quite related:

x) Lines 80-82 of src/lib/passwdutil/README.SunOS-aging indicate
    that su never checks aging data which it actually does (lines
    1271-1282 of src/cmd/su/su.c); should I raise a bug?

Many thanks,

Ceri
-- 
That must be wonderful!  I don't understand it at all.
                                                  -- Moliere
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: 
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080606/d5aee4aa/attachment.bin>

Reply via email to