[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] su: support denying accounts with blank password
From: Kaarle Ritvanen <kaarle.ritvanen () datakunkku ! fi>
Date: 2015-09-28 11:46:37
Message-ID: alpine.LFD.2.20.1509281312110.636 () kanala ! kunkku ! net
[Download RAW message or body]
On Wed, 10 Jun 2015, Timo Teras wrote:
> On Tue, 09 Jun 2015 22:20:30 +0200
> Laurent Bercot <ska-dietlibc@skarnet.org> wrote:
>
> > IOW, if a computer gets hacked because its root password was
> > blank or default, it's not a problem you can solve by choosing
> > the other solution. :)
>
> The only situation that would benefit from this is that you have box
> running network only services (no local logins for users). And admin
> is done with ssh key authentication.
>
> The problem then becomes: services run as non-root users, and to
> maintain security isolation, you don't want those service accounts to
> be able to sudo or su.
>
> Having no password for root would allow console login if necessary
> without need to consult password lists. But at the same time disable all
> other root access.
Yes, applying this patch would allow for greater security than setting the
root password. Passwords are always subject to dictionary and brute force
attacks, recording by keyloggers, discovery of the Post-it note where they
are written on etc. This patch, on the other hand, would remove these
attack vectors completely while allowing root access via a trusted
console.
In mainstream Linux distributions, the same effect can be achieved by
adjusting the PAM configuration for su. Having this patch included would
increase busybox's usefulness without increasing its footprint at all.
BR,
Kaarle
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic