Darren Reed wrote: > There are any number of login methods that have built in "do not let > root login this way" features. So now, rather than try to attack the > root account, a hacker is forced (if they weren't before) to target > another account. And once they crack that account, all they need to do > is run "pfexec" to gain privilege. Unlike su, there is no second > password required to run pfexec in the current installation. In effect, > every account that can run pfexec and assume all of those privileges > without a password is now a root account yet there is no restriction on > where they can be logged into from.
That's an acknowledged bug in the profiles granted to the default user account established by the current Caiman installers, not a property of making root a role. https://defect.opensolaris.org/bz/show_bug.cgi?id=4885 -- -Alan Coopersmith- [email protected] Oracle Solaris Platform Engineering: X Window System _______________________________________________ security-discuss mailing list [email protected]
