Various people write: > yes, having a root password is generaly bad, as it is what > most attackers will try first.
With "olpc" being a well-known account, this security-by-obscurity doesn't gain you anything. > Yes, I think logging in directly as root is a misfeature that should > go away. Most of the other unix-derived platforms have been doing > their best to kill it off or at least reduce its attractiveness... There is no misfeature here, excepting the case where one starts up the whole GUI as root. Sugar doesn't provide an easy way to be run as root; it's not like some GNOME login thing. If anything, Linux is going the other way. On a highly secure Linux system, it is not possible to obtain full privileges unless you log in directly on the console. You can't get full privilege with sudo, su, or ssh. (mere "root", UID==0, won't do the job) BTW, this is not a bad solution. Simply remove the setuid bit from both sudo and su. To log in as root, press Alt-Ctrl-Fn-2. As a bonus, you get rid of some setuid programs. Blocking access to all setuid programs would be far better. I found 17, many of which have previously had holes. You're not thinking with a security mindset until you assume that more holes will be found. > Yeah ... sudo is more secure than su. I really worry about this kind of misconception. It seems that sudo gives people a false sense of security. That alone makes sudo a hazard. The XO will not be logging sudo commands to a remote system, and won't have multiple users authorized to run such commands. There goes the main point of having sudo. Remember that sudo comes from the world of server administration, where multiple poorly-trusted people (employees) will need to perform root-only tasks. With sudo you gain some weak accountability. That doesn't help on the XO. _______________________________________________ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel