[OE-core] [PATCH 2/2] base-passwd: set root's default password to 'root'
Paul Eggleton
paul.eggleton at linux.intel.com
Tue Nov 29 03:45:09 UTC 2016
On Tue, 29 Nov 2016 10:45:51 Robert Yang wrote:
> On 11/29/2016 09:57 AM, Khem Raj wrote:
> >> On Nov 24, 2016, at 10:59 AM, Paul Eggleton
> >> <paul.eggleton at linux.intel.com> wrote:>>
> >> On Thu, 24 Nov 2016 08:46:29 Patrick Ohly wrote:
> >>> On Thu, 2016-11-24 at 11:38 +0800, Robert Yang wrote:
> >>>> Currently, debug-tweaks is in EXTRA_IMAGE_FEATURES by default for poky,
> >>>> and
> >>>> there is no passwd, so that user can login easily without a passwd, I
> >>>> think
> >>>> that current status is more unsafe ?
> >>>
> >>> Both well-known password and no password are unsafe. User "root" with
> >>> password "root" is not even "more" safe already now, because tools that
> >>> brute-force logins try that. Choosing something else would be a bit
> >>> safer for a short while until the tools add it to their dictionary.
> >>>
> >>> Poky is also targeting a different audience than OE-core. Poky can
> >>> assume to be used in a secure environment, OE-core can't (because it
> >>> might be used for all kinds of devices).
> >>
> >> I don't think that's part of the design goals on either side, it's simply
> >> about making development easier. The feature is clearly labelled "debug-
> >> tweaks" because it's for debugging not for production. It could be that
> >> we
> >> should make it do other things like append a notice to /etc/issue to
> >> avoid
> >> people leaving it on for production, if that is a concern.
> >
> > Sometimes such goals can lead to problems. Making development easier by
> > all means if you can ensure a hard error on production e.g. debug-tweaks
> > can then never be part of production images. Otherwise someone will
> > forget it and it will be discovered on millions of devices in field along
> > with the user project will be red-faced.
Right. FWIW in mitigation I did write the raw material for the following
section of the YP manuals, though I don't know how many people have ended
up reading it:
http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure
In there there is an explicit mention of disabling debug-tweaks. Looking
around the place it could be that we need more warnings about this being
on by default though.
> Will something like IMAGE_FEATURES += "production" help here ?
I'd like to see something like this - at least give the user some way of
saying "I really am in production now, so error out on anything that I
shouldn't be doing there". I wonder if it potentially goes further than
just conflicting with things like debug-tweaks and empty-root-password.
> We may also need something like IMAGE_FEATURES += "test" to make it can work
> with -ctestimage.
Not sure I follow your reasoning here - can you explain what this feature
would do?
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the Openembedded-core
mailing list