[Gllug] Why have root passwords at all?
Bruce Richardson
itsbruce at uklinux.net
Sat Mar 11 16:23:33 UTC 2006
On Sat, Mar 11, 2006 at 03:26:43PM +0000, John wrote:
> > Option 1 can be very safe if you put a little thought into it, since
> > most user-authenticated applications can be made to refuse root logins
> > and/or refuse access to accounts with blank passwords.
>
> I'm not sure what you mean by a "user-authenticated application", but
> surely if you have an empty root password then one can log on as root
> just by typing "root" at the user prompt and pressing enter at the
> password prompt?
No, not if you set things up properly. Most PAM modules take a "nullok"
option: if nullok is set, empty passwords are allowed. If it is not
set, empty passwords are not allowed. This means that having an empty
password is effectivly the same as locking the account.
>
> What about when the fsck detects errors during boot and the system says,
> "Enter root password to run fsck interactively"?
OK, See the comments about sulogin. Even if you do not roll your own
sulogin binary, at this point you have physical access to the box and
can easily sidestep that password requirement.
Hmm. sulogin doesn't use PAM, so there's several ways to make it and
the other ways of logging in as root behave quite differently.
Providing you're using a system with PAM support. Hmm....
--
Bruce
I am now a little wary of bananas.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20060311/acb6c4cd/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list