[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] su: support denying accounts with blank password
From: Timo Teras <timo.teras () iki ! fi>
Date: 2015-06-10 5:05:20
Message-ID: 20150610080520.7705acd9 () vostro
[Download RAW message or body]
On Tue, 09 Jun 2015 22:20:30 +0200
Laurent Bercot <ska-dietlibc@skarnet.org> wrote:
> On 09/06/2015 21:44, Natanael Copa wrote:
> > It is an interesting dilemma. What is worse, blank root password or
> > weak/default root password (eg 'root' or similar)?
>
> I'll suggest that it doesn't matter in the slightest, because a
> machine should only be in either state when it's on a trusted
> network where new machines are installed (or, if possible, on no
> network at all) and should never find themselves in those states
> out there in a place where users can connect to them.
>
> IOW, if a computer gets hacked because its root password was
> blank or default, it's not a problem you can solve by choosing
> the other solution. :)
The only situation that would benefit from this is that you have box
running network only services (no local logins for users). And admin
is done with ssh key authentication.
The problem then becomes: services run as non-root users, and to
maintain security isolation, you don't want those service accounts to
be able to sudo or su.
Having no password for root would allow console login if necessary
without need to consult password lists. But at the same time disable all
other root access.
/Timo
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic