[OpenIndiana-discuss] Update info?

Bill Sommerfeld sommerfeld at alum.mit.edu
Tue May 24 00:03:31 UTC 2011


On 05/23/11 16:54, Ken Gunderson wrote:
> On Mon, 2011-05-23 at 23:29 +0200, Jeppe Toustrup wrote:
>> The change was made upstream. See this bug report which discusses the change:
>> https://defect.opensolaris.org/bz/show_bug.cgi?id=4885
> 
> And here I used to think Dave was a smart guy.... let's bork Solaris's
> superior RBAC model so we can make it more like one of the lamest (at
> least w.r.t. seasoned users) Linux distros out there.  Damn fine
> analysis there....;-{

The way RBAC was configured by the opensolaris installer was flagrantly
insecure (automatically granting any process running with the uid of the
initial user account the ability to exec arbitrary commands as uid 0
with all privileges)

The upstream change closes a serious security hole.

						- Bill




More information about the OpenIndiana-discuss mailing list