disabling root and olpc passwords
ffm
ffm at intserverror.com
Sun Jan 13 19:33:14 EST 2008
On Jan 13, 2008 6:59 PM, Bernardo Innocenti <bernie at codewiz.org> wrote:
> What use is it if an application can login, su or sudo as
> user olpc with no password and _then_ su to root?
Fixed by chmod'ing su and sudo 770 and then chgrp to olpc.
You can close all the open doors one by one by ruling out
> logins with empty passwords like ssh does, but then what
> would be the difference between an empty password and
> no password at all?
>
There isn't one.
Captain Obvious just told me that on any UNIX system, setting
> an empty password should enable a user to login without typing
> a password, while disabling the password should instead disable
> logins by that user.
>
> The ssh default of not accepting empty passwords is just
> a bit too paranoid for some scenarios, and not paranoid enough
> for others (why not also disallow stupid passwords? :-)
Because unhashed versions of passwords are not stored, so password stupidity
can not be assessed at that point.
While I would certainly consider improvements, what's wrong
> that we're trying to fix with this simple solution we already
> adopted?
Still would be a good idea to do the thing with sudo and su that I mentioned
earlier.
-ffm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/devel/attachments/20080113/e610d42e/attachment.html>
More information about the Devel
mailing list