All, Attached is the updated proposal which is also archived (diff below). The modification is to remove the Primary Administrator rights from the user at install time.
Thanks, John *** proposal.txt.orig Thu Feb 25 08:53:52 2010 --- proposal.txt Fri Feb 26 13:52:00 2010 *************** *** 13,19 **** 2.1. Project Description: Updates Users screen of Solaris GUI installer. ! The proposed updates are in response to Bug 1436 [1]. 4. Technical Description: 4.1. Details: --- 13,19 ---- 2.1. Project Description: Updates Users screen of Solaris GUI installer. ! The proposed updates are in response to Bug 1436 [1] and 4885 [4] 4. Technical Description: 4.1. Details: *************** *** 25,30 **** --- 25,33 ---- - Entry of users login name and password is now mandatory. - Default root password is set to initial login password specified here. + This case also implement the removal or Primary Administrator privileges for + the initial user created. See [4] + 4.2. Interfaces: Exported Interfaces Stability Comments *************** *** 59,61 **** --- 62,66 ---- [3] UIRB/2007/264 Dwarf Caiman UIRB Review Materials http://sac.sfbay/Archives/CaseLog/rb/UIRB/2007/264/ + [4] User created by installer gets unsafe profile "Primary Administrator" + http://defect.opensolaris.org/bz/show_bug.cgi?id=4885 On 02/26/10 01:44 AM, Casper.Dik at Sun.COM wrote: > >> Since this case makes it mandatory that root is a role, it should also >> make it mandatory to assume the root role in order to get a root shell. >> The current behavior, whereby the user can get a root shell by typing >> "pfexec bash" is a serious security flaw, and is inconsistent with the >> RBAC implementation in Solaris. For example, such a sequence could be >> embedded in any script which the user might execute, thereby becoming >> root without the user's intent. >> >> So I agree with Darren that this case is incomplete, unless it also >> undoes the assignment of the Primary Administrator rights profile to the >> initial user. IMHO, it would never have been approved if it had been >> requested through the ARC process. > > Indeed; the new implementation of "in-kernel pfexec" makes this > very clear; a user with a "Primary Administrator" as their profile, > will get a "root" prompt when executing a pf*sh*. (That's because > the in-kernel pfexec executes a profile shell as if it is executed > by pfexec) > > Casper > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: proposal.txt URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20100226/771ec8a9/attachment.txt>