Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!uunet!in3.uu.net!158.43.192.17!rill.news.pipex.net!pipex!tank.news.pipex.net!pipex!news.utell.co.uk!usenet
From: brian@shift.utell.net (Brian Somers)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Root Password
Date: 1 May 1997 13:43:33 GMT
Organization: Awfulhak Ltd.
Lines: 66
Message-ID: <5ka6m5$a45@ui-gate.utell.co.uk>
References: <18F8FF21930307C2.9C8789DEFA86E574.971B7B7D034EAE5D@library-proxy.airnews.net>
<3365A2AB.2F1CF0FB@FreeBSD.org> <5k66e2$quc@lace.colorado.edu>
<5k74k8$p26@ui-gate.utell.co.uk> <5k8rk9$jpt@lace.colorado.edu>
Reply-To: brian@awfulhak.org, brian@utell.co.uk
NNTP-Posting-Host: shift.utell.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Newsreader: knews 0.9.8
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:40107
In article <5k8rk9$jpt@lace.colorado.edu>,
fcrary@rintintin.Colorado.EDU (Frank Crary) writes:
> In article <5k74k8$p26@ui-gate.utell.co.uk>,
> Brian Somers <brian@awfulhak.org, brian@utell.co.uk> wrote:
[.....]
>>On a lot of my home installations I have no root password...
>
> Good point. I guess I'm just paranoid... For a machine at home, with
> no network connections (and assuming you trust all the people who
> live with you, e.g. no one who might get mad at you and screw up
> your computer to get back at you) no root password wouldn't be a problem.
Well, even if you don't trust them, physical access make you God
anyway, barring encryption. You can always boot from a floppy.
>> - even
>>on un-firewalled machines connected to the Internet. As long
>>as everything except a few vtys is insecure and my account has
>>a password that nobody knows and is the only one in group wheel,
>>I'm safe.
>
> I don't quite follow this. As far as I know, root needs to be in
> the wheel group, so I don't understand the comment about your
> personal account being the only one in the wheel group.
Nope. The group field in /etc/passwd makes you a member
irrespective of whether you are a "guest" of that group
in /etc/group. However, this makes no difference (at all,
that I know of). My point is that there's no way for someone
without physical access to the machine (and without my password)
to become root. As I already said, as far as I'm concerned,
physical access allows you to do anything that root can do if
you've got the smarts.
>>I'm asking for it, but I'm safe.
>
> Good physical security is very nice.
>
>>It's nice to not have to dick around with passwords once
>>I've logged in once.
>
> Perhaps. That's a personal choice, if you ask me, one of the trade
> offs between usability and security. Personally, I don't mind the
> need for passwords to become root, but other people might disagree.
> However, this was about the default arrangement for FreeBSD. Since
> a large number of machines using FreeBSD aren't isolated machines
> in someone's home, I don't think allowing no root password is a
> good idea. Ideally, I'd want a requirement for a root password, and
> an option to intentionally allow no password. That would be reasonably
> convenient for home users, but close the security problem caused
> by careless sysadmins for other machines.
I agree. The user should be forced to enter a password, and then,
after entering nothing and being asked "are you sure" a few times,
an empty password should be allowed.
Empty passwords are at least dangerous, and can be disasterous.
>
> Frank Crary
> CU Boulder
--
Brian <brian@awfulhak.org> <brian@freebsd.org>
<http://www.awfulhak.org>
Don't _EVER_ lose your sense of humour !