[OE-core] [PATCH 2/2] base-passwd: set root's default password to 'root'
Paul Eggleton
paul.eggleton at linux.intel.com
Thu Nov 24 03:18:21 UTC 2016
On Thu, 24 Nov 2016 10:01:59 Robert Yang wrote:
> On 11/23/2016 07:16 PM, Patrick Ohly wrote:
> > On Tue, 2016-11-22 at 23:49 -0800, Robert Yang wrote:
> >> [YOCTO #10710]
> >>
> >> Otherwise, we can't login as root when debug-tweaks is not in
> >> IMAGE_FEATURES, and there is no other users to login by default, so
> >> there is no way to login.
> >
> > Wait a second, are you really suggesting that OE-core should have a
> > default root password in its default configuration?
> >
> > That's very bad practice and I'm against doing it this way. Having a
> > default password is one of the common vulnerabilities in actual devices
> > on the market today. OE-core should make it hard to make that mistake,
> > not actively introduce it.
> >
> > So if you think that having a root password set (instead of empty), then
> > at least make it an opt-in behavior that explicitly has to be selected.
> > Make it an image feature so that images with and without default
> > password can be build in the same build configuration. Changing
> > base-passwd doesn't achieve that.
> >
> > Even then I'm still wondering what the benefit of a well-known password
> > compared to no password is. Both are equally insecure, so someone who
> > wants to allow logins might as well go with "empty password".
>
> The problem is that when debug-tweaks or empty-root-password is not in
> IMAGE_FEATURE, there is no way to login by default, which will surprise
> the user. How about:
>
> 1) Let user can set root passwd via a variable when building.
>
> Or/And
>
> 2) Warn the user at build time when the image is unable to login.
There are problems with both of these:
1) I'm concerned that by making it trivially easy this will encourage users to
set a root password and forget they have done so. This may lead to yet more
products going out with default root passwords, and that is not a good thing.
2) Having no root password in this scenario is not necessarily a mistake, it
may be intentional. If nobody ever needs to log into your device via a
terminal, then why would you need a root password set at all? In that scenario
you wouldn't want to be implying "this could be wrong, you should set a root
password".
If we need more documentation around this so that people understand how this
aspect works (and I don't doubt that we do, people do ask about it) then by
all means we should improved the documentation.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the Openembedded-core
mailing list