The current freedom-maker build setup for dreamplug set up three unix users in /etc/passwd with a valid password, and plinth include another user in its user database to log into plinth. Why is this? Having users with valid passwords that are not regularly used is a security problem, and it seem to me a better idea to avoid setting passwords for most of these. The users in questions are:
/etc/passwd, /etc/shadow root / freedom fbx / frdm plinth / config plinth, /var/lib/plinth/users.sqlite3 and /var/lib/plinth/users/admin admin / secret At the moment plinth run as the www-data user, perhaps it should be changed to run as the plinth user, and the plinth user be created as a system user without a valid password? All of them run with publicly known passwords. I suspect we should rewrite the first-page module in plinth to ask for username and password and create the administrative user instead of providing one hardcoded into plinth. What is the point of having both the users root and fbx? Is it not enough with one normal user, and set up sudo for this user to get root access, or perhaps disable it completely and depend on some plinth GUI to set the password on a regular unix user? -- Happy hacking Petter Reinholdtsen _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
