[OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

[Lou Picciano]

Thanks for staying on top of this. I suspect the downside will have been minimal... 

On the other hand, finally being able to easily configure a zone at provisioning? 

Priceless! 

Lou Picciano 

----- Original Message -----

From: "Alexander Pyhalov" <alp at rsu.ru> 
To: "Discussion list for OpenIndiana" <openindiana-discuss at openindiana.org> 
Sent: Tuesday, December 22, 2015 5:57:37 PM 
Subject: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding 

If you followed, we've just replaced sysidtool with sysding. 
This could have serious consequences for OI zones. sysding has logic 
which checks on the first run if zone's root password was set in 
sysding.conf. If it wasn't set, it is set to 'NP'. This is necessary for 
zlogin to work correctly. 

The issue is that until last version it didn't check if root password in 
/etc/shadow is non-empty. It is aggravated by the fact, that 
service/management/sysidtool was renamed to service/management/sysding. 
So, on zone update sysding thinks that it is run for the first time and 
resets root password to 'NP'. The issue is resolved in 
pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12 
So, if you update system, ensure that this version is installed in your 
zones. If you have earlier version installed, please, check you root 
password's hash in /etc/shadow. 

The scope of the issue is decreased by the fact that package with 
sysidtool => sysding renaming existed only several hours until updated 
sysding landed to the repository. 
-- 
System Administrator of Southern Federal University Computer Center 

_______________________________________________ 
openindiana-discuss mailing list 
openindiana-discuss at openindiana.org 
http://openindiana.org/mailman/listinfo/openindiana-discuss