root password

[Albert Cahalan]

Bernardo Innocenti writes:

> "su" uses pam.  pam_wheel can check that you belong to the
> group wheel (or any other group) before granting you access.

I got it to work with a different pam module, and placed
that info into trac. http://dev.laptop.org/ticket/5537

#%PAM-1.0
auth      sufficient  pam_rootok.so
auth      required    pam_succeed_if.so use_uid user ingroup wheel
auth      include     system-auth
account   sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account   include     system-auth
password  include     system-auth
session   include     system-auth
session   optional    pam_xauth.so

> Even better, we could put
>
>  /sbin/mingetty --noclear --autologin root tty1
>
> in inittab to circumvent the issue altogether.

This is an excellent idea. Doing tty1 through tty6 would
be good.

I strongly feel that:

if sudo works
then su must work

Note that the above does not require sudo to work. It doesn't
even require su to work, given that sudo doesn't work.

I don't believe there is any real need to protect the root
account from the olpc account. If there is, then a root login
should require the SAK key. (Alt-Ctrl-SysRq by default)
This is the only way to be sure that one is not typing into
a trojan. Maybe Fn-Esc makes a good SAK key.