Re: root password
Hi - I don't to varciperate, however --- think about toys. A child uses a toy to discover things about his/her universe at a certain point in time. That is the concept behind OLPC. In constructionist philosophy, a child is given the tools to construct and more importantly share constructed music videos (e.g. tam tam) rather then to listen to them. On Jan 10, 2008 7:44 PM, Ivan Krstić [EMAIL PROTECTED] wrote: On Jan 10, 2008, at 10:19 PM, Carl-Daniel Hailfinger wrote: Besides the nasty wording of your criticism of Albert's opinion, it is quite interesting that you think emphasizing the toy factor displays a stunning level of ignorance and failure of comprehension. In context, Albert uses the word 'toy' as invective. I read his message to say, approximately, that any real use of the machines will be restricted to those kids that the machines turn into bearded UNIX hackers; to all other kids, they'll be nothing more than a video game platform. That position is irreconcilable with the project's stated purpose or the philosophy behind it. -- Ivan Krstić [EMAIL PROTECTED] | http://radian.org ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel -- Regards, Steve Steven C. Fullerton email: [EMAIL PROTECTED] cell/voice mail: 619.339.9116 ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: autologin and Console font (Was: root password)
(cc kbd, alexey, andries) Albert Cahalan wrote: On Jan 3, 2008 4:06 AM, Bernardo Innocenti [EMAIL PROTECTED] wrote: Albert Cahalan wrote: I quite like this Press ESC twice for shell solution. Reminds of the FidoNet era, if you're old enough to know what I'm talking about. Merely switching to the console should do the job. Linux provides an ioctl, VT_WAITACTIVE, to let a program wait for a tty to become activated. With the SAK solution, child death will notify the parent process. The parent can then start getty. For now, we added an option to mingetty to wait for enter before proceeding to the autologin. And I did the same for agetty on ttyS0. These changes landed in joyride yesterday. Check it out and let me know if you like it. If you write a minimal autogetty, I'd be willing to take it for the additional memory saving. But please, also do the packaging and fedora review process. I have about 2000 glyphs, but Linux currently can't handle more than 256 (or 512 w/o bright backgrounds) because the internal representation is still tied to VGA. I thus trim my font to the regular PC character set. If the kernel were fixed though, you could have 2000 glyphs. The 256-glyph file is attached. Looks nice! I'm soon going to branch the kbd package in OLPC-2 to add a couple of console keyboard maps that Walter made. We could use this opportunity to add your font. Please, also send me the full font, and let me know under what license the original glyphs were. I just got in contact with the Fedora and top-level kbd maintainers (reading us on cc) to push our changes back upstream. Is it ok if I contribute your font upstream? The project has failed if it doesn't create new UNIX die hards. These will be the people who drive the future economy. The non-nerd kids are getting toys. We can expect a (small) percentage of the kids to become very good hackers. Didn't we all learn this very same way? :-) -- \___/ |___| Bernardo Innocenti - http://www.codewiz.org/ \___\ One Laptop Per Child - http://www.laptop.org/ 15x30pc.psf.gz Description: GNU Zip compressed data ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: root password
On Jan 3, 2008, at 1:21 PM, Albert Cahalan wrote: The non-nerd kids are getting toys. (Sidenote: this displays a stunning level of ignorance and failure of comprehension of the project's goals.) -- Ivan Krstić [EMAIL PROTECTED] | http://radian.org ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: root password
On 11.01.2008 03:33, Ivan Krstić wrote: On Jan 3, 2008, at 1:21 PM, Albert Cahalan wrote: The non-nerd kids are getting toys. (Sidenote: this displays a stunning level of ignorance and failure of comprehension of the project's goals.) Reminds me of a nice quote from an OLPC official (I forgot who exactly said this): This is not an opensource laptop project, it is an education project. Unfortunately, in the early days of OLPC the message was more like This is an opensource laptop project with the ultimate goal of enabling better eduaction for kids.. I have to admit I was quite disappointed with the perceived change of the goals of the project. Besides the nasty wording of your criticism of Albert's opinion, it is quite interesting that you think emphasizing the toy factor displays a stunning level of ignorance and failure of comprehension. We deliver *games* to *kids* as a key aspect of the project, but the machines are *not* toys? Please clarify. Regards, Carl-Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: root password
On Jan 10, 2008, at 10:19 PM, Carl-Daniel Hailfinger wrote: Besides the nasty wording of your criticism of Albert's opinion, it is quite interesting that you think emphasizing the toy factor displays a stunning level of ignorance and failure of comprehension. In context, Albert uses the word 'toy' as invective. I read his message to say, approximately, that any real use of the machines will be restricted to those kids that the machines turn into bearded UNIX hackers; to all other kids, they'll be nothing more than a video game platform. That position is irreconcilable with the project's stated purpose or the philosophy behind it. -- Ivan Krstić [EMAIL PROTECTED] | http://radian.org ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: root password
Albert Cahalan wrote: I thought so to, but testing seems to show that pam_wheel.so will only protect transitions to the root account. It does not protect olpc, at least not without some undocumented option. Are you thinking that we should disable the password for the olpc user too? Well, we should: if we don't, malicious activities will be able to login as olpc :-) Using just 2 shells was a way to save some memory. Kids will use none. Whoever needs more can easily edit /etc/inittab. Shall I write you a tty-watcher program in assembly code? This really shouldn't cost much memory. Even with glibc, I doubt the dirty memory was all that much. BTW, I'm serious about the assembly code. Well, if it's just for fun... but I think the Python developers would not appreciate it :-) Seriously, before we start coding solutions, let's first reach consensus with the security team on how we should handle login. Otherwise we risk wasting effort. I quite like this Press ESC twice for shell solution. Reminds of the FidoNet era, if you're old enough to know what I'm talking about. Good point, but if we left just that in place, we'd have to ask people to use the ugly text console more often, where the keyboard works partially and there's no cut paste. It's not ugly if you ship the nice 15x30 font I made. Where is it? Does it include a decent amount of unicode glyphs? sun12x22 has too few of these, so it doesn't even support many European languages. Cut-and-paste can be fixed, with the difficulty depending on how perfect you want it. One can run gpm. This can be started when a user logs in on the console. One could even write something to feed that into the X clipboard and back. Yes, theoretically. But we don't ship gpm and we don't want to put much more effort on improving the console environment that only UNIX die hards like me and you enjoy using when we still have a journal that eats files and a mouse cursor that flashes when you render below it. I'm almost going to reiterate my old black text on white bg console patch, which nobody seemed to appreciate :-) -- \___/ |___| Bernardo Innocenti - http://www.codewiz.org/ \___\ One Laptop Per Child - http://www.laptop.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: root password
On Jan 3, 2008 4:06 AM, Bernardo Innocenti [EMAIL PROTECTED] wrote: Albert Cahalan wrote: I quite like this Press ESC twice for shell solution. Reminds of the FidoNet era, if you're old enough to know what I'm talking about. Merely switching to the console should do the job. Linux provides an ioctl, VT_WAITACTIVE, to let a program wait for a tty to become activated. With the SAK solution, child death will notify the parent process. The parent can then start getty. Good point, but if we left just that in place, we'd have to ask people to use the ugly text console more often, where the keyboard works partially and there's no cut paste. It's not ugly if you ship the nice 15x30 font I made. Where is it? Does it include a decent amount of unicode glyphs? sun12x22 has too few of these, so it doesn't even support many European languages. I have about 2000 glyphs, but Linux currently can't handle more than 256 (or 512 w/o bright backgrounds) because the internal representation is still tied to VGA. I thus trim my font to the regular PC character set. If the kernel were fixed though, you could have 2000 glyphs. The 256-glyph file is attached. Cut-and-paste can be fixed, with the difficulty depending on how perfect you want it. One can run gpm. This can be started when a user logs in on the console. One could even write something to feed that into the X clipboard and back. Yes, theoretically. But we don't ship gpm and we don't want to put much more effort on improving the console environment that only UNIX die hards like me and you enjoy using when we still have a journal that eats files and a mouse cursor that flashes when you render below it. The project has failed if it doesn't create new UNIX die hards. These will be the people who drive the future economy. The non-nerd kids are getting toys. 15x30pc.psf.gz Description: GNU Zip compressed data ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
root password
I think we should re-enable the empty root password for Update.1. The reason why is that we have plenty of documentation in the wiki and elsewhere suggesting people to login as root or to su as root. There should be at least a transition period so the support people don't get flooded with questions on how to login as root. We could also use pam_wheel to let olpc become root with no password using the friendlier su in addition to sudo. Even better, we could put /sbin/mingetty --noclear --autologin root tty1 in inittab to circumvent the issue altogether. -- \___/ |___| Bernardo Innocenti - http://www.codewiz.org/ \___\ One Laptop Per Child - http://www.laptop.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: root password
On Wed, 2 Jan 2008, Bernardo Innocenti wrote: I think we should re-enable the empty root password for Update.1. The reason why is that we have plenty of documentation in the wiki and elsewhere suggesting people to login as root or to su as root. There should be at least a transition period so the support people don't get flooded with questions on how to login as root. Can 'su' be replaced with a wrapper that runs 'sudo -s'? That way, only the olpc user can run sudo su, but activities can't get root. We could also have a race through the wiki to replace mentions of 'su' with the appropriate sudo call. We could also use pam_wheel to let olpc become root with no password using the friendlier su in addition to sudo. Even better, we could put /sbin/mingetty --noclear --autologin root tty1 in inittab to circumvent the issue altogether. If the OLPC security team says that's fine, then it does help avoid updating the documentation. (-: -- Asheesh. -- Politics is not the art of the possible. It consists in choosing between the disastrous and the unpalatable. -- John Kenneth Galbraith ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: root password
Albert Cahalan wrote: I got it to work with a different pam module, and placed that info into trac. http://dev.laptop.org/ticket/5537 #%PAM-1.0 auth sufficient pam_rootok.so auth requiredpam_succeed_if.so use_uid user ingroup wheel auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optionalpam_xauth.so This seems really equivalent to using pam_wheel.so. I think we should put your change as yet another pilgrim hack (rather than branching coreutils to edit /etc/pam.d/su). This is an excellent idea. Doing tty1 through tty6 would be good. Using just 2 shells was a way to save some memory. Kids will use none. Whoever needs more can easily edit /etc/inittab. I strongly feel that: if sudo works then su must work Thumbs up. Moreover, I strongly feel that /sbin and /usr/sbin are the creation of the devil and serve no other purpose than irritating unprivileged users when they want to call ifconfig or mount. It also interacts especially badly with sudo -s and su. Therefore, I've just added /usr/local/sbin:/usr/sbin:/sbin to the user path. Note that the above does not require sudo to work. It doesn't even require su to work, given that sudo doesn't work. Good point, but if we left just that in place, we'd have to ask people to use the ugly text console more often, where the keyboard works partially and there's no cut paste. Ideally, one would rather try to make the system work so well that there would be no need to use that ever. See MacOSX. I don't believe there is any real need to protect the root account from the olpc account. There is: the Browse activity still runs as olpc because it is hard to containerize. But one could argue that there's not that much of a difference between compromising olpc and compromising root on a single-user machine. If there is, then a root login should require the SAK key. (Alt-Ctrl-SysRq by default) This is the only way to be sure that one is not typing into a trojan. Maybe Fn-Esc makes a good SAK key. I wonder how it plays with setxkbmap and loadkeys. offtopic msbashing On Windows, they tell users that CTRL-ALT-DEL is a proected system sequence that no application can ever intercept, but it's just a gross lie. On Windows 2000, you can edit the registry as a user to remap keys to other keys, including all of CTRL, ALT and DEL. I know because I wanted to remap CAPS-LOCK to CTRL and I did by mistake the other way around, so I couldn't login any more through MSGINA :-) /msbashing /offtopic -- \___/ |___| Bernardo Innocenti - http://www.codewiz.org/ \___\ One Laptop Per Child - http://www.laptop.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: root password
On Jan 3, 2008 12:15 AM, Bernardo Innocenti [EMAIL PROTECTED] wrote: Albert Cahalan wrote: auth requiredpam_succeed_if.so use_uid user ingroup wheel ... This seems really equivalent to using pam_wheel.so. I thought so to, but testing seems to show that pam_wheel.so will only protect transitions to the root account. It does not protect olpc, at least not without some undocumented option. This is an excellent idea. Doing tty1 through tty6 would be good. Using just 2 shells was a way to save some memory. Kids will use none. Whoever needs more can easily edit /etc/inittab. Shall I write you a tty-watcher program in assembly code? This really shouldn't cost much memory. Even with glibc, I doubt the dirty memory was all that much. BTW, I'm serious about the assembly code. Moreover, I strongly feel that /sbin and /usr/sbin are the creation of the devil and serve no other purpose than irritating unprivileged users when they want to call ifconfig or mount. It also interacts especially badly with sudo -s and su. Therefore, I've just added /usr/local/sbin:/usr/sbin:/sbin to the user path. That makes tab completion less useful for non-root users. It's nice to get more letters when you hit tab, and to get a smaller list of possible completions when you hit tab a second time. Note that the above does not require sudo to work. It doesn't even require su to work, given that sudo doesn't work. Good point, but if we left just that in place, we'd have to ask people to use the ugly text console more often, where the keyboard works partially and there's no cut paste. It's not ugly if you ship the nice 15x30 font I made. Cut-and-paste can be fixed, with the difficulty depending on how perfect you want it. One can run gpm. This can be started when a user logs in on the console. One could even write something to feed that into the X clipboard and back. I don't believe there is any real need to protect the root account from the olpc account. There is: the Browse activity still runs as olpc because it is hard to containerize. But one could argue that there's not that much of a difference between compromising olpc and compromising root on a single-user machine. That's exactly what I'm thinking: all the interesting data is in the olpc account. If there is, then a root login should require the SAK key. (Alt-Ctrl-SysRq by default) This is the only way to be sure that one is not typing into a trojan. Maybe Fn-Esc makes a good SAK key. I wonder how it plays with setxkbmap and loadkeys. It's intended to work, and I believe it can even kill X, but I haven't tested it. ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: OLPC Debian root password
As I understand, gdm will not allow you to login as root without password. And there is no olpc user. So the trick is to change to text console for login, create password or user and you'll be able to login with gdm. Maxim On Dec 22, 2007 5:27 AM, C. Scott Ananian [EMAIL PROTECTED] wrote: From looking at the build on updates.laptop.org, it looks to me like there is no password set for root. In any case, the debian build is rather old; you will get better results by repeating the steps at: http://wiki.laptop.org/go/Installing_Debian_as_an_upgrade This will ensure you get the latest kernel, firmware, etc. --scott -- ( http://cscott.net/ ) ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: OLPC Debian root password
From looking at the build on updates.laptop.org, it looks to me like there is no password set for root. In any case, the debian build is rather old; you will get better results by repeating the steps at: http://wiki.laptop.org/go/Installing_Debian_as_an_upgrade This will ensure you get the latest kernel, firmware, etc. --scott -- ( http://cscott.net/ ) ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel