subject:"\[OpenIndiana\-discuss\] \[HEADSUP\] serious security issue in sysding"

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

2015-12-24 Thread Jim Klimov

23 декабря 2015 г. 4:29:16 CET, Lou Picciano <loupicci...@comcast.net> пишет:
>Thanks for staying on top of this. I suspect the downside will have
>been minimal... 
>
>On the other hand, finally being able to easily configure a zone at
>provisioning? 
>
>Priceless! 
>
>Lou Picciano 
>
>- Original Message -
>
>From: "Alexander Pyhalov" <a...@rsu.ru> 
>To: "Discussion list for OpenIndiana"
><openindiana-discuss@openindiana.org> 
>Sent: Tuesday, December 22, 2015 5:57:37 PM 
>Subject: [OpenIndiana-discuss] [HEADSUP] serious security issue in
>sysding 
>
>If you followed, we've just replaced sysidtool with sysding. 
>This could have serious consequences for OI zones. sysding has logic 
>which checks on the first run if zone's root password was set in 
>sysding.conf. If it wasn't set, it is set to 'NP'. This is necessary
>for 
>zlogin to work correctly. 
>
>The issue is that until last version it didn't check if root password
>in 
>/etc/shadow is non-empty. It is aggravated by the fact, that 
>service/management/sysidtool was renamed to service/management/sysding.
>
>So, on zone update sysding thinks that it is run for the first time and
>
>resets root password to 'NP'. The issue is resolved in 
>pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12
>
>So, if you update system, ensure that this version is installed in your
>
>zones. If you have earlier version installed, please, check you root 
>password's hash in /etc/shadow. 
>
>The scope of the issue is decreased by the fact that package with 
>sysidtool => sysding renaming existed only several hours until updated 
>sysding landed to the repository. 

> If it wasn't set, it is set to 'NP'. This is necessary for zlogin to work 
> correctly. 

Why is that? Who is 'zlogin -S' for? ;) e.g. zone shutdown scripts use it for 
low-level access, and zone-installer maybe too...

My 2c, Jim

--
Typos courtesy of K-9 Mail on my Samsung Android

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

2015-12-24 Thread Alexander Pyhalov


On 12/23/2015 15:47, Jim Klimov wrote:

23 декабря 2015 г. 4:29:16 CET, Lou Picciano  пишет:



If it wasn't set, it is set to 'NP'. This is necessary for zlogin to work 
correctly.


Why is that? Who is 'zlogin -S' for? ;) e.g. zone shutdown scripts use it for 
low-level access, and zone-installer maybe too...



I'd prefer this, I wouldn't like to tell everyone: now you have to use 
"zlogin -S". OmniOS used another approach - they ser root password to 
some hardcoded hash on zone creation. Perhaps it's even better.

--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

2015-12-24 Thread Gary Mills

On Thu, Dec 24, 2015 at 03:24:25PM +0300, Alexander Pyhalov wrote:
> On 12/23/2015 15:47, Jim Klimov wrote:
> >23 декабря 2015 г. 4:29:16 CET, Lou Picciano  пишет:
> 
> >>If it wasn't set, it is set to 'NP'. This is necessary for zlogin to work 
> >>correctly.
> >
> >Why is that? Who is 'zlogin -S' for? ;) e.g. zone shutdown scripts use it 
> >for low-level access, and zone-installer maybe too...
> >
> 
> I'd prefer this, I wouldn't like to tell everyone: now you have to
> use "zlogin -S".

The man page for zlogin says this:

Use of this option requires the authorization
solaris.zone.manage/zonename.

So, it does have security.

-- 
-Gary Mills--refurb--Winnipeg, Manitoba, Canada-

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

2015-12-22 Thread Alexander Pyhalov


If you followed, we've just replaced sysidtool with sysding.
This could have serious consequences for OI zones. sysding has logic 
which checks on the first run if zone's root password was set in 
sysding.conf. If it wasn't set, it is set to 'NP'. This is necessary for 
zlogin to work correctly.


The issue is that until last version it didn't check if root password in 
/etc/shadow is non-empty. It is aggravated by the fact, that 
service/management/sysidtool was renamed to service/management/sysding. 
So, on zone update sysding thinks that it is run for the first time and 
resets root password to 'NP'. The issue is resolved in  
pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12 
So, if you update system, ensure that this version is installed in your 
zones. If you have earlier version installed, please, check you root 
password's hash in /etc/shadow.


The scope of the issue is decreased by the fact that package with 
sysidtool => sysding renaming existed only several hours until updated 
sysding landed to the repository.

--
System Administrator of Southern Federal University Computer Center

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

2015-12-22 Thread the outsider

Which OI versions are impacted? 
Only Hipster or also 1.59? 


-Oorspronkelijk bericht-
Van: Alexander Pyhalov [mailto:a...@rsu.ru] 
Verzonden: dinsdag 22 december 2015 23:58
Aan: Discussion list for OpenIndiana <openindiana-discuss@openindiana.org>
Onderwerp: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

If you followed, we've just replaced sysidtool with sysding.
This could have serious consequences for OI zones. sysding has logic which
checks on the first run if zone's root password was set in sysding.conf. If
it wasn't set, it is set to 'NP'. This is necessary for zlogin to work
correctly.

The issue is that until last version it didn't check if root password in
/etc/shadow is non-empty. It is aggravated by the fact, that
service/management/sysidtool was renamed to service/management/sysding. 
So, on zone update sysding thinks that it is run for the first time and
resets root password to 'NP'. The issue is resolved in
pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12
So, if you update system, ensure that this version is installed in your
zones. If you have earlier version installed, please, check you root
password's hash in /etc/shadow.

The scope of the issue is decreased by the fact that package with sysidtool
=> sysding renaming existed only several hours until updated sysding landed
to the repository.
--
System Administrator of Southern Federal University Computer Center

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

2015-12-22 Thread Alexander Pyhalov


the outsider писал 23.12.2015 02:02:

Which OI versions are impacted?
Only Hipster or also 1.59?



Only Hipster.

---
System Administrator of Southern Federal University Computer Center



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

2015-12-22 Thread Lou Picciano

Thanks for staying on top of this. I suspect the downside will have been 
minimal... 

On the other hand, finally being able to easily configure a zone at 
provisioning? 

Priceless! 

Lou Picciano 

- Original Message -

From: "Alexander Pyhalov" <a...@rsu.ru> 
To: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org> 
Sent: Tuesday, December 22, 2015 5:57:37 PM 
Subject: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding 

If you followed, we've just replaced sysidtool with sysding. 
This could have serious consequences for OI zones. sysding has logic 
which checks on the first run if zone's root password was set in 
sysding.conf. If it wasn't set, it is set to 'NP'. This is necessary for 
zlogin to work correctly. 

The issue is that until last version it didn't check if root password in 
/etc/shadow is non-empty. It is aggravated by the fact, that 
service/management/sysidtool was renamed to service/management/sysding. 
So, on zone update sysding thinks that it is run for the first time and 
resets root password to 'NP'. The issue is resolved in 
pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12 
So, if you update system, ensure that this version is installed in your 
zones. If you have earlier version installed, please, check you root 
password's hash in /etc/shadow. 

The scope of the issue is decreased by the fact that package with 
sysidtool => sysding renaming existed only several hours until updated 
sysding landed to the repository. 
-- 
System Administrator of Southern Federal University Computer Center 

___ 
openindiana-discuss mailing list 
openindiana-discuss@openindiana.org 
http://openindiana.org/mailman/listinfo/openindiana-discuss 

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

[OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

7 matches

Site Navigation

Mail list logo

Footer information