On Mon, Jun 09, 2008 at 09:27:24AM +0200, Joep Vesseur wrote:
>
>> a) Did PSARC/2007/700 integrate somewhere?
>
> No, not yet; I've been stuck in the changes needed for the graphical
> installer. Need to pick up the pieces again.
OK, thanks. Any idea why PASSREQ is already enforced via su on SXCE
then?
>> c) Is having passwordless roles any less stupid than passwordless users?
>
> I'd say it is because with passwordless roles you have at least the
> attribution to which user assumed a role. With passwordless users
> you'd have no way knowing who logged into your system.
Those were my thoughts exactly.
>> d) If I proposed a change for adding PASSREQROLES or similar to allow
>> the option to be restricted to roles, would that fly at all?
>
> Not as such, I would think; that would mean we'd have to special-case
> roles in su(1) while thay are just "other accounts" now. If we'd want to
> special-case this, I think we should do so in an appropriate PAM
> module that implements the roles-rules.
That's fine with me, it's the end result I'm concerned with :)
>> g) The error message from su is wrong; should I raise a bug?
>
> I think this is an artifact of how the current code deals with
> offending PASSREQ; feel free to file a bug and I'll take it on with
> the work I'm doing on 2007/700
I'll do so and pass you the ID, thank you.
>> And not quite related:
>>
>> x) Lines 80-82 of src/lib/passwdutil/README.SunOS-aging indicate
>> that su never checks aging data which it actually does (lines
>> 1271-1282 of src/cmd/su/su.c); should I raise a bug?
>
> Well, I'll update the file, but it's nothing more than a quote from
> an old source explaining some details that had been lost from our own
> source base; something I needed when I did a rewrite of the PAM
> modules back in 2001 or so. It mostly has historical value, even though
> I agree that it shouldn't contain false statements.
Thanks; I understand it's not a definitive statement but it did
sidetrack me for a few minutes when looking in to this.
Ceri
--
That must be wonderful! I don't understand it at all.
-- Moliere
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080609/06a1c726/attachment.bin>
