[gobolinux-devel] [GoboLinux 014-release candidate 0000221]: Installer disallowing empty SuperUser password
Isaac Dupree
isaacdupree at charter.net
Fri Dec 14 08:11:28 NZDT 2007
Nathan Middleton wrote:
> I'm in no way a developer, but having an interest in Gobo and wanting
> it to succeed I'd like to just mention that you run a risk of possibly
> being seen as "insecure" to some people by allowing a user to install
> with an empty root password. I'm still trying to figure out how this
> would ever be a valid installation option, ever. IDK, just my 2 cents
> worth.
I don't see how an empty password is much more "insecure" than having
your password be "password" and telling everyone about it. SSH often
disallows logging in as root by default, even when it is run, I think
(even though having other users that can sudo is equally insecure,
especially when root is named something unknown like 'gobo'). If the
only people who have physical access to the computer should be able to
control root, and have really bad memories, I think an obvious root
password might be the safest solution. Again, the existence of a bad
password doesn't mean you'll ever even be given the chance to provide it
or see a login prompt.
On the other hand, I recall some Gobo scripts use sudo failure as
choosing not to provide a password, telling you to press enter if you
want to proceed without using the password. Empty root password should
probably be considered like, say, not having proc and sysfs in your
fstab: not necessarily a correct system state.
Isaac
More information about the gobolinux-devel
mailing list