Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding
23 декабря 2015 г. 4:29:16 CET, Lou Picciano <loupicci...@comcast.net> пишет: >Thanks for staying on top of this. I suspect the downside will have >been minimal... > >On the other hand, finally being able to easily configure a zone at >provisioning? > >Priceless! > >Lou Picciano > >- Original Message - > >From: "Alexander Pyhalov" <a...@rsu.ru> >To: "Discussion list for OpenIndiana" ><openindiana-discuss@openindiana.org> >Sent: Tuesday, December 22, 2015 5:57:37 PM >Subject: [OpenIndiana-discuss] [HEADSUP] serious security issue in >sysding > >If you followed, we've just replaced sysidtool with sysding. >This could have serious consequences for OI zones. sysding has logic >which checks on the first run if zone's root password was set in >sysding.conf. If it wasn't set, it is set to 'NP'. This is necessary >for >zlogin to work correctly. > >The issue is that until last version it didn't check if root password >in >/etc/shadow is non-empty. It is aggravated by the fact, that >service/management/sysidtool was renamed to service/management/sysding. > >So, on zone update sysding thinks that it is run for the first time and > >resets root password to 'NP'. The issue is resolved in >pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12 > >So, if you update system, ensure that this version is installed in your > >zones. If you have earlier version installed, please, check you root >password's hash in /etc/shadow. > >The scope of the issue is decreased by the fact that package with >sysidtool => sysding renaming existed only several hours until updated >sysding landed to the repository. > If it wasn't set, it is set to 'NP'. This is necessary for zlogin to work > correctly. Why is that? Who is 'zlogin -S' for? ;) e.g. zone shutdown scripts use it for low-level access, and zone-installer maybe too... My 2c, Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding
On 12/23/2015 15:47, Jim Klimov wrote: 23 декабря 2015 г. 4:29:16 CET, Lou Piccianoпишет: If it wasn't set, it is set to 'NP'. This is necessary for zlogin to work correctly. Why is that? Who is 'zlogin -S' for? ;) e.g. zone shutdown scripts use it for low-level access, and zone-installer maybe too... I'd prefer this, I wouldn't like to tell everyone: now you have to use "zlogin -S". OmniOS used another approach - they ser root password to some hardcoded hash on zone creation. Perhaps it's even better. -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding
On Thu, Dec 24, 2015 at 03:24:25PM +0300, Alexander Pyhalov wrote: > On 12/23/2015 15:47, Jim Klimov wrote: > >23 декабря 2015 г. 4:29:16 CET, Lou Piccianoпишет: > > >>If it wasn't set, it is set to 'NP'. This is necessary for zlogin to work > >>correctly. > > > >Why is that? Who is 'zlogin -S' for? ;) e.g. zone shutdown scripts use it > >for low-level access, and zone-installer maybe too... > > > > I'd prefer this, I wouldn't like to tell everyone: now you have to > use "zlogin -S". The man page for zlogin says this: Use of this option requires the authorization solaris.zone.manage/zonename. So, it does have security. -- -Gary Mills--refurb--Winnipeg, Manitoba, Canada- ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] [HEADSUP] serious security issue in sysding
If you followed, we've just replaced sysidtool with sysding. This could have serious consequences for OI zones. sysding has logic which checks on the first run if zone's root password was set in sysding.conf. If it wasn't set, it is set to 'NP'. This is necessary for zlogin to work correctly. The issue is that until last version it didn't check if root password in /etc/shadow is non-empty. It is aggravated by the fact, that service/management/sysidtool was renamed to service/management/sysding. So, on zone update sysding thinks that it is run for the first time and resets root password to 'NP'. The issue is resolved in pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12 So, if you update system, ensure that this version is installed in your zones. If you have earlier version installed, please, check you root password's hash in /etc/shadow. The scope of the issue is decreased by the fact that package with sysidtool => sysding renaming existed only several hours until updated sysding landed to the repository. -- System Administrator of Southern Federal University Computer Center ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding
Which OI versions are impacted? Only Hipster or also 1.59? -Oorspronkelijk bericht- Van: Alexander Pyhalov [mailto:a...@rsu.ru] Verzonden: dinsdag 22 december 2015 23:58 Aan: Discussion list for OpenIndiana <openindiana-discuss@openindiana.org> Onderwerp: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding If you followed, we've just replaced sysidtool with sysding. This could have serious consequences for OI zones. sysding has logic which checks on the first run if zone's root password was set in sysding.conf. If it wasn't set, it is set to 'NP'. This is necessary for zlogin to work correctly. The issue is that until last version it didn't check if root password in /etc/shadow is non-empty. It is aggravated by the fact, that service/management/sysidtool was renamed to service/management/sysding. So, on zone update sysding thinks that it is run for the first time and resets root password to 'NP'. The issue is resolved in pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12 So, if you update system, ensure that this version is installed in your zones. If you have earlier version installed, please, check you root password's hash in /etc/shadow. The scope of the issue is decreased by the fact that package with sysidtool => sysding renaming existed only several hours until updated sysding landed to the repository. -- System Administrator of Southern Federal University Computer Center ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding
the outsider писал 23.12.2015 02:02: Which OI versions are impacted? Only Hipster or also 1.59? Only Hipster. --- System Administrator of Southern Federal University Computer Center ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding
Thanks for staying on top of this. I suspect the downside will have been minimal... On the other hand, finally being able to easily configure a zone at provisioning? Priceless! Lou Picciano - Original Message - From: "Alexander Pyhalov" <a...@rsu.ru> To: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org> Sent: Tuesday, December 22, 2015 5:57:37 PM Subject: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding If you followed, we've just replaced sysidtool with sysding. This could have serious consequences for OI zones. sysding has logic which checks on the first run if zone's root password was set in sysding.conf. If it wasn't set, it is set to 'NP'. This is necessary for zlogin to work correctly. The issue is that until last version it didn't check if root password in /etc/shadow is non-empty. It is aggravated by the fact, that service/management/sysidtool was renamed to service/management/sysding. So, on zone update sysding thinks that it is run for the first time and resets root password to 'NP'. The issue is resolved in pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12 So, if you update system, ensure that this version is installed in your zones. If you have earlier version installed, please, check you root password's hash in /etc/shadow. The scope of the issue is decreased by the fact that package with sysidtool => sysding renaming existed only several hours until updated sysding landed to the repository. -- System Administrator of Southern Federal University Computer Center ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss