Nathan Middleton wrote:
> I'm in no way a developer, but having an interest in Gobo and wanting
> it to succeed I'd like to just mention that you run a risk of possibly
> being seen as "insecure" to some people by allowing a user to install
> with an empty root password.  I'm still trying to figure out how this
> would ever be a valid installation option, ever.  IDK, just my 2 cents
> worth.

I don't see how an empty password is much more "insecure" than having 
your password be "password" and telling everyone about it.  SSH often 
disallows logging in as root by default, even when it is run, I think 
(even though having other users that can sudo is equally insecure, 
especially when root is named something unknown like 'gobo').  If the 
only people who have physical access to the computer should be able to 
control root, and have really bad memories, I think an obvious root 
password might be the safest solution.  Again, the existence of a bad 
password doesn't mean you'll ever even be given the chance to provide it 
or see a login prompt.

On the other hand, I recall some Gobo scripts use sudo failure as 
choosing not to provide a password, telling you to press enter if you 
want to proceed without using the password.  Empty root password should 
probably be considered like, say, not having proc and sysfs in your 
fstab: not necessarily a correct system state.

Isaac
_______________________________________________
gobolinux-devel mailing list
gobolinux-devel@lists.gobolinux.org
http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel

Reply via email to