Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

the outsider Tue, 22 Dec 2015 15:03:30 -0800

Which OI versions are impacted? 
Only Hipster or also 1.59?


-----Oorspronkelijk bericht-----
Van: Alexander Pyhalov [mailto:a...@rsu.ru] 
Verzonden: dinsdag 22 december 2015 23:58
Aan: Discussion list for OpenIndiana <openindiana-discuss@openindiana.org>
Onderwerp: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

If you followed, we've just replaced sysidtool with sysding.
This could have serious consequences for OI zones. sysding has logic which
checks on the first run if zone's root password was set in sysding.conf. If
it wasn't set, it is set to 'NP'. This is necessary for zlogin to work
correctly.

The issue is that until last version it didn't check if root password in
/etc/shadow is non-empty. It is aggravated by the fact, that
service/management/sysidtool was renamed to service/management/sysding. 
So, on zone update sysding thinks that it is run for the first time and
resets root password to 'NP'. The issue is resolved in
pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12
So, if you update system, ensure that this version is installed in your
zones. If you have earlier version installed, please, check you root
password's hash in /etc/shadow.

The scope of the issue is decreased by the fact that package with sysidtool
=> sysding renaming existed only several hours until updated sysding landed
to the repository.
--
System Administrator of Southern Federal University Computer Center

_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss


_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] [HEADSUP] serious security issue in sysding

Reply via email to