[OE-core] [PATCH 2/2] base-passwd: set root's default password to 'root'
Khem Raj
raj.khem at gmail.com
Tue Nov 29 01:57:58 UTC 2016
> On Nov 24, 2016, at 10:59 AM, Paul Eggleton <paul.eggleton at linux.intel.com> wrote:
>
> On Thu, 24 Nov 2016 08:46:29 Patrick Ohly wrote:
>> On Thu, 2016-11-24 at 11:38 +0800, Robert Yang wrote:
>>> Currently, debug-tweaks is in EXTRA_IMAGE_FEATURES by default for poky,
>>> and
>>> there is no passwd, so that user can login easily without a passwd, I
>>> think
>>> that current status is more unsafe ?
>>
>> Both well-known password and no password are unsafe. User "root" with
>> password "root" is not even "more" safe already now, because tools that
>> brute-force logins try that. Choosing something else would be a bit
>> safer for a short while until the tools add it to their dictionary.
>>
>> Poky is also targeting a different audience than OE-core. Poky can
>> assume to be used in a secure environment, OE-core can't (because it
>> might be used for all kinds of devices).
>
> I don't think that's part of the design goals on either side, it's simply
> about making development easier. The feature is clearly labelled "debug-
> tweaks" because it's for debugging not for production. It could be that we
> should make it do other things like append a notice to /etc/issue to avoid
> people leaving it on for production, if that is a concern.
>
Sometimes such goals can lead to problems. Making development easier by
all means if you can ensure a hard error on production e.g. debug-tweaks can
then never be part of production images. Otherwise someone will forget it
and it will be discovered on millions of devices in field along with the user
project will be red-faced.
More information about the Openembedded-core
mailing list