Bug #204

pfexec doesn't seem to work

Added by Chris Ridd over 3 years ago. Updated over 3 years ago.

Status:Closed Start date:2010-09-15
Priority:High Due date:
Assignee:Alasdair Lumsden % Done:

0%

Category:Caiman (Installer)
Target version:-
Difficulty:Medium Tags:needs-triage

Description

On OpenSolaris (snv_134):

id -a
uid=1002(cjr) gid=1002(cjr) groups=1002(cjr) [...]
pfexec id -a
uid=0(root) gid=0(root) groups=1002(cjr) [...]

On oi_147, on a completely fresh install:

id -a
uid=101(cjr) gid=10(staff) groups=10(staff)
pfexec id -a
uid=101(cjr) gid=10(staff) groups=10(staff)

I note the entry for "cjr" in oi_147's /etc/user_attr is different from snv_134:

(snv_134)
cjr=::::profiles=Primary Administrator;roles=root

(oi_147)
cjr::::roles=root

A consequence of this is that I cannot update any packages or apparently do anything privileged.


Related issues

related to OpenIndiana Distribution - Bug #201: TimeSlider must not need "Root" Password Rejected 2010-09-15
related to OpenIndiana Distribution - Bug #636: Fix graphical installer to prevent root password expiring Closed 2011-01-16

History

Updated by Chris Ridd over 3 years ago

su'ing to root (which forced me to change root's password) allowed me to update cjr's entry in /etc/user_attr, and pfexec now works for "cjr".

Updated by none none over 3 years ago

The /etc/user_attr for user 'jack' in the LiveCD doesn't have this problem. Confirmed issue exists on a installed system.

caiman/slim_source/usr/src/lib/libict_pymod/ict.py seems to be used by the installer to manipulate user_attr and needs further investigation.

Updated by Jeppe Toustrup over 3 years ago

It can be changed with a simple usermod -P "Primary Administrator" <username>, when you have gained root permissions on the system.

Updated by Rich Lowe over 3 years ago

This is not a bug. This is the result of caiman changeset:

changeset:   861:ccd399d2c6f7
user:        David Miner <dminer@opensolaris.org>
date:        Tue Aug 17 18:22:44 2010 -0400
description:
    6973927 Installation fails if Primary Administrator rights profile is removed from the system
    4885 User created by installer gets unsafe profile "Primary Administrator" 
    9966 install unnecessarily propagates /lost+found from image to rpool
    15454 pkg install failure in im_pop did not abort DC and AI
    15507 SUNWcs and SUNWcsd can be removed from manifests
    16295 install-finish runs update_boot_archive ICT twice for text and GUI installs
    16645 Incorrect permissions on ict.py in build 144 can cause ict's to fail to run
    16740 Special handling of SUNWcs and SUNWcsd can be removed from transfer module

Specifically 4885

You should have sudo access instead, by default.

The 'root has my password, then prompts me to change it' thing is also, I think, a post-b134 feature.

Updated by Albert Lee over 3 years ago

  • Assignee set to Alasdair Lumsden
  • Target version set to oi_148

We need to do something about this. Need to check if pfexec's consumers are fixed in snv_148. If not, the solution of least impact may be to restore the Primary Administrator profile for now.

Updated by Albert Lee over 3 years ago

packagemanager(1) and time-slider-setup(1) fall back to su. Not expiring the root password by default would be a reasonably safe workaround we can apply for, as root remains a role only accessible by the default user. This would make su an audit-enabled alternative to the default sudo configuration in most respects, except for password changes later on.

Updated by Albert Lee over 3 years ago

  • Priority changed from High to Normal
  • Target version deleted (oi_148)

Interim solution for oi_148 is to set the root password in the installer. Keeping this bug open, but reducing priority.

Updated by Rob Clark over 3 years ago

Albert Lee wrote:

Interim solution for oi_148 is to set the root password in the installer. Keeping this bug open, but reducing priority.

I tried to run GParted AFTER installation but it requires root privileges. If I right-click the Clock and "Adjust Date & Time" then I am asked for the root password but Gparted simply fails.

I rebooted and used the Installer Disk but the version of GParted included does NOT support Solaris Partitions (or Linux-Swap), unless we want to format for NTFS it is of no use.

The FAQ does say to goto a Terminal and type "su -"; then you can enter a password to set the root's NEW password.

I did that but when I open [System][Administration][Core Files] (and try to set "Addict") it refuses my password --- so there does need some work done with the root passwording authentication system.

BTW: We ought to change Jack's password from the old OS's name to our new name. ;)

Thanks, and hello everyone,
Rob

Updated by Albert Lee over 3 years ago

  • Priority changed from Normal to High

For some reason, the 148 live media installer is missing gber's changes to prompt for the root password separately (and not set it as expired).

Updated by Matt Wilby over 3 years ago

  • Status changed from New to Closed

Duplicate. New bug #636 created to cover all instances (#204, #579, #619) .

Also available in: Atom PDF