I'm sponsoring this fast track for Aaron Zang and the Virtual Console team.
This case proposes to eliminate the vtdaemon "rootunlock" property of
PSARC/2006/591, Virtual Console. The Virtual Console project has not
delivered into any version of OpenSolaris or Solaris so this case
introduces no incompatibilities. This case proposes no change to the
original approved Release Binding of patch/micro.
The timer is set for 19 Aug, 2008.
Gary..
=============================================================================
Background
==========
PSARC/2006/591 proposed the virtual console feature for Solaris.
The SMF service, svc:/system/vtdaemon:default, provides a secure
switch function between different text virtual consoles.
The vtdaemon service proposed a "rootunlock" property. When the value of
"rootunlock" was "true", vtdaemon allowed unlocking text virtual consoles
using the root user's password instead of the locking user's password.
Update
======
The intention of the "rootunlock" property was to deal with a potential
DoS (denial of service) attack, i.e., a user could log on to all available
and switch away, thus all these text virtual consoles would be locked.
The project team now considers the "rootunlock" property as unnecessary
because:
1) Neither xlock nor xscreensaver have such an unlocking feature.
2) As all the virtual consoles are local, the access to virtual
consoles is controlled by physical access. The "rootunlock"
property is seen somewhat paranoid. It can also lead to
incorrect attribution of actions to the locking user by
another user.
3) A user with physical access to the console can cause other
disruptive action.
The project team proposes to eliminate the "rootunlock" property.
