[OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

Alexander Pyhalov alp at rsu.ru
Tue Dec 22 22:57:37 UTC 2015


If you followed, we've just replaced sysidtool with sysding.
This could have serious consequences for OI zones. sysding has logic 
which checks on the first run if zone's root password was set in 
sysding.conf. If it wasn't set, it is set to 'NP'. This is necessary for 
zlogin to work correctly.

The issue is that until last version it didn't check if root password in 
/etc/shadow is non-empty. It is aggravated by the fact, that 
service/management/sysidtool was renamed to service/management/sysding. 
So, on zone update sysding thinks that it is run for the first time and 
resets root password to 'NP'. The issue is resolved in  
pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12 
So, if you update system, ensure that this version is installed in your 
zones. If you have earlier version installed, please, check you root 
password's hash in /etc/shadow.

The scope of the issue is decreased by the fact that package with 
sysidtool => sysding renaming existed only several hours until updated 
sysding landed to the repository.
-- 
System Administrator of Southern Federal University Computer Center



More information about the openindiana-discuss mailing list