> a) Did PSARC/2007/700 integrate somewhere? No, not yet; I've been stuck in the changes needed for the graphical installer. Need to pick up the pieces again.
> b) If so, why didn't the manpage change integrate? > c) Is having passwordless roles any less stupid than passwordless users? I'd say it is because with passwordless roles you have at least the attribution to which user assumed a role. With passwordless users you'd have no way knowing who logged into your system. > d) If I proposed a change for adding PASSREQROLES or similar to allow > the option to be restricted to roles, would that fly at all? Not as such, I would think; that would mean we'd have to special-case roles in su(1) while thay are just "other accounts" now. If we'd want to special-case this, I think we should do so in an appropriate PAM module that implements the roles-rules. > e) Are there plans to putback PSARC/2007/700 to Solaris 10? Not at the moment. > f) Is there some way to stop that happening since I can show a > regression? (not saying that I want to, just that I've got used > to this working) > g) The error message from su is wrong; should I raise a bug? I think this is an artifact of how the current code deals with offending PASSREQ; feel free to file a bug and I'll take it on with the work I'm doing on 2007/700 > And not quite related: > > x) Lines 80-82 of src/lib/passwdutil/README.SunOS-aging indicate > that su never checks aging data which it actually does (lines > 1271-1282 of src/cmd/su/su.c); should I raise a bug? Well, I'll update the file, but it's nothing more than a quote from an old source explaining some details that had been lost from our own source base; something I needed when I did a rewrite of the PAM modules back in 2001 or so. It mostly has historical value, even though I agree that it shouldn't contain false statements. Joep