[OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

the outsider openindiana at out-side.nl
Tue Dec 22 23:02:38 UTC 2015


Which OI versions are impacted? 
Only Hipster or also 1.59? 


-----Oorspronkelijk bericht-----
Van: Alexander Pyhalov [mailto:alp at rsu.ru] 
Verzonden: dinsdag 22 december 2015 23:58
Aan: Discussion list for OpenIndiana <openindiana-discuss at openindiana.org>
Onderwerp: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

If you followed, we've just replaced sysidtool with sysding.
This could have serious consequences for OI zones. sysding has logic which
checks on the first run if zone's root password was set in sysding.conf. If
it wasn't set, it is set to 'NP'. This is necessary for zlogin to work
correctly.

The issue is that until last version it didn't check if root password in
/etc/shadow is non-empty. It is aggravated by the fact, that
service/management/sysidtool was renamed to service/management/sysding. 
So, on zone update sysding thinks that it is run for the first time and
resets root password to 'NP'. The issue is resolved in
pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12
So, if you update system, ensure that this version is installed in your
zones. If you have earlier version installed, please, check you root
password's hash in /etc/shadow.

The scope of the issue is decreased by the fact that package with sysidtool
=> sysding renaming existed only several hours until updated sysding landed
to the repository.
--
System Administrator of Southern Federal University Computer Center

_______________________________________________
openindiana-discuss mailing list
openindiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss




More information about the openindiana-discuss mailing list