> a) Did PSARC/2007/700 integrate somewhere?

No, not yet; I've been stuck in the changes needed for the graphical
installer. Need to pick up the pieces again.

> b) If so, why didn't the manpage change integrate?
> c) Is having passwordless roles any less stupid than passwordless users?

I'd say it is because with passwordless roles you have at least the
attribution to which user assumed a role. With passwordless users
you'd have no way knowing who logged into your system.

> d) If I proposed a change for adding PASSREQROLES or similar to allow
>     the option to be restricted to roles, would that fly at all?

Not as such, I would think; that would mean we'd have to special-case
roles in su(1) while thay are just "other accounts" now. If we'd want to
special-case this, I think we should do so in an appropriate PAM
module that implements the roles-rules.

> e) Are there plans to putback PSARC/2007/700 to Solaris 10?

Not at the moment.

> f) Is there some way to stop that happening since I can show a
>     regression? (not saying that I want to, just that I've got used
>     to this working)
> g) The error message from su is wrong; should I raise a bug?

I think this is an artifact of how the current code deals with
offending PASSREQ; feel free to file a bug and I'll take it on with
the work I'm doing on 2007/700

> And not quite related:
> 
> x) Lines 80-82 of src/lib/passwdutil/README.SunOS-aging indicate
>     that su never checks aging data which it actually does (lines
>     1271-1282 of src/cmd/su/su.c); should I raise a bug?

Well, I'll update the file, but it's nothing more than a quote from
an old source explaining some details that had been lost from our own
source base; something I needed when I did a rewrite of the PAM
modules back in 2001 or so. It mostly has historical value, even though
I agree that it shouldn't contain false statements.

Joep

Reply via email to