On Fri, May 24, 2013 at 11:28 AM, Juerg Haefliger <[email protected]> wrote:
> On Fri, May 24, 2013 at 5:20 PM, Matthew Miller > <[email protected]> wrote: > > On Fri, May 24, 2013 at 10:57:29AM -0400, seth vidal wrote: > >> How about we do-away with the 'faux user which is and is not root even > >> though they are a trivial unpassworded sudo away' security theater that > >> amazon and ubuntu have been peddling for years now. > >> > >> I mean seriously - it's meaningless - let's stop pretending. > > > > I don't see it as a security feature (for the obvious reasons you give). > > > > It's more like the blade cover on a lawn mower. Sure, that's not locked > and > > you can easily remove it, but a large amount of normal operation -- even > > sysadmin work! -- doesn't require you to stick your fingers in there. > > > I think there's a distinction here between two things: 1) Creating a non-root user (or any number of them) that you _can_ use. 2) Disabling root login We can do #1 without doing #2 > > By not requiring a password, there's an easy-quick-release lock, and hey, > > you can always 'sudo su -' if you want to mow the grass without the > cover. > > But it's still good practice to leave the cover on when you don't > actually > > need to adjust something or fix a problem. > > > > We're not forcing that practice on anyone (you can disable the creation > of > > the user in user-data, and I even include a snippet to just use root in > the > > cloud-ks file), but I think it's a good default. > > > > That Ubuntu and Amazon do a similar thing just makes it easier. > > I agree with Matt. Security wise it doesn't make a lot of sense. But > it protects the casual user from shooting himself in the foot. What's > the downside? > The downside is that this actually can introduce some unexpected behavior in automated scripting that throws off novice users (and just annoys others). Sudo strips environment settings, and for example, you lose forwarded ssh agent settings. Sure, you can make workaround for things like that, but I think Seth's point is that this is a fairly useless hoop to make people jump through. (I confess that originally I was one of the people trying to make these images "like everyone else", but now I seem to be in the "just annoyed" camp on this particular one.) Andy > > ...Juerg > > > > > > > > -- > > Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ < > [email protected]> > > _______________________________________________ > > cloud mailing list > > [email protected] > > https://admin.fedoraproject.org/mailman/listinfo/cloud > _______________________________________________ > cloud mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/cloud >
_______________________________________________ cloud mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/cloud
