On Jan 13, 2008 6:59 PM, Bernardo Innocenti <[EMAIL PROTECTED]> wrote:
> What use is it if an application can login, su or sudo as > user olpc with no password and _then_ su to root? Fixed by chmod'ing su and sudo 770 and then chgrp to olpc. You can close all the open doors one by one by ruling out > logins with empty passwords like ssh does, but then what > would be the difference between an empty password and > no password at all? > There isn't one. Captain Obvious just told me that on any UNIX system, setting > an empty password should enable a user to login without typing > a password, while disabling the password should instead disable > logins by that user. > > The ssh default of not accepting empty passwords is just > a bit too paranoid for some scenarios, and not paranoid enough > for others (why not also disallow stupid passwords? :-) Because unhashed versions of passwords are not stored, so password stupidity can not be assessed at that point. While I would certainly consider improvements, what's wrong > that we're trying to fix with this simple solution we already > adopted? Still would be a good idea to do the thing with sudo and su that I mentioned earlier. -ffm
_______________________________________________ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel