#5058 NORM Never A: root password is empty and identical on all XO's
Zarro Boogs per Child
bugtracker at laptop.org
Wed Nov 21 07:07:37 EST 2007
#5058: root password is empty and identical on all XO's
----------------------+-----------------------------------------------------
Reporter: gnu | Owner: mstone
Type: defect | Status: new
Priority: normal | Milestone: Never Assigned
Component: security | Version: Build 623
Keywords: | Verified: 0
----------------------+-----------------------------------------------------
We can have the greatest security available, but if a virus or worm can
run "su" or "ssh root at localhost" and get a root shell without even trying
to crack the password, there is going to be little we can do to stop it
from spreading.
(An ssh worm can login from a non-XO, subvert your XO, and then with that
machine's security bypassed, log into and attack all its XO neighbors.)
It won't work to try to restrict access to run particular SUID programs or
access particular ports, but I suspect it will be more fruitful to figure
out how to avoid a root password that's constant (or predictable with an
algorithm), while still letting the kid who owns the laptop reliably get
in as root when needed.
(We could pick a random root password, print it on a sticker and stick it
to the XO before shipment. Put it in the battery compartment? The
encrypted form could be put into the manufacturing tags, so that every
laptop ships with an identical OS, but at the first boot, this password is
set on the root account.)
(We have a similar problem with the "olpc" account -- since so many of the
user's files are owned by it, they will be easy to corrupt. But since
Sugar does an automatic login as this user, perhaps its password can be
set by default to an impossible value. Thus no script or program would be
able to su or login as olpc, unless the owner first explicitly changed the
password from the autologged-in console.).
--
Ticket URL: <http://dev.laptop.org/ticket/5058>
One Laptop Per Child <http://dev.laptop.org>
OLPC bug tracking system
More information about the Bugs
mailing list