Security issue in sysding

If you followed, we’ve just replaced sysidtool with sysding.
This could have serious consequences for OI zones. sysding has logic which checks on the first run if zone’s root password was set in sysding.conf. If it wasn’t set, it is set to ‘NP’. This is necessary for zlogin to work correctly.

The issue is that until last version it didn’t check if root password in /etc/shadow is non-empty. It is aggravated by the fact, that service/management/sysidtool was renamed to service/management/sysding. So, on zone update sysding thinks that it is run for the first time and resets root password to ‘NP’. The issue is resolved in pkg://openindiana.org/service/management/sysding@0.5.11,5.11-2015.0.2.12 . So, if you update system, ensure that this (or later) version is installed in your zones. If you have earlier version installed, please, check your root password’s hash in /etc/shadow.

The scope of the issue is decreased by the fact that package with sysidtool => sysding renaming existed only several hours until updated sysding landed to the repository.