[gobolinux-devel] [GoboLinux 014-release candidate 0000221]: Installer disallowing empty SuperUser password

Jonas Karlsson jonka750 at student.liu.se
Thu Dec 13 18:42:20 NZDT 2007 

On Thu, 13 Dec 2007 01:14:19 +0100, Isaac Dupree <isaacdupree at charter.net> wrote:

> Jonas Karlsson wrote:
>> On Tue, 11 Dec 2007 19:46:33 +0100, <bugs at gobolinux.org> wrote:
>>
>>> The following issue has been SUBMITTED.
>>> ======================================================================
>>> http://bugs.gobolinux.org/view.php?id=221
>>> Summary:                    Installer disallowing empty SuperUser password
>>> Description:
>>> Right now you can not set "empty" passwords.
>>>
>>> The problem is that the installer decides this for you, not you as user.
>>> (Admittedly this is a super-trivial thing but at least a dev can explain
>>> why it should be this or that way. I explain my point of view on it soon.)
>>>
>>> I propose the:
>>>   "may not set empty passwords"
>>> during Installer be changed to a warning instead like this:
>>>   "Warning - it is not recommended to have an empty password for the
>>> superuser account. If you insist to have this though, just continue."
>>>
>>> or similar in wording.
>>
>> I'm not sure about what others think of this, but I agree that allowing an
>> empty superuser password can be a valid option in some cases. I've attached
>> my proposal for a solution for this issue. It locks the superuser account,
>> like how it's done in ubuntu, if no password is given. It also notices the
>> user about this and warns
>
> While that may make sense, it doesn't allow you to choose an empty
> superuser password upon installation.  Instead, it interprets "empty" as
> "no login password at all", whether the user wants this or not.  I just
> don't see how
> "allowing an empty superuser password can be a valid option in some
> cases" is solved by your "proposal for a solution for this issue".  Or
> is your only problem that it gives an error when empty password is
> given, not zero-length-password having a semantics consistent with other
> passwords?  I'm a little confused.

Even though a completly empty password is the most free choice, this is the
best I can do. Unless the majority wants to be able to set an empty password
and at the same time allowing superuser logins (and can give a *good*
motivation) this is probably how far I will go in implementing this (or just
a little bit further, look further down).

When I said "allowing an empty superuser password" I meant in the installer.
I don't think it's valid in an installed system.

>
> although, unix sometimes has trouble with zero-length passwords; and
> there is the password "locking" that we may like to give an interface
> to; so maybe it makes sense to disallow zero-length and to use the same
> field to trigger "locking"?
>
Adding a checkbox "Do not lock superuser if password is empty" or similar
may be an option. That together with at least two levels of warnings before
beeing able to continue past that screen.
Still I'm not sure it's a good idea to enable a superuser with an empty
password. Even if the user knows what he/she is doing.

-- 
/Jonas
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

More information about the gobolinux-devel mailing list