Re: [PATCH 2/2] base-passwd: set root's default password to 'root'

From: Paul Eggleton <paul.eggleton@linux.intel.com>
To: Robert Yang <liezhi.yang@windriver.com>, Khem Raj <raj.khem@gmail.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 2/2] base-passwd: set root's default password to 'root'
Date: Tue, 29 Nov 2016 16:45:09 +1300	[thread overview]
Message-ID: <1910837.9fFbRdU0ck@peggleto-mobl.ger.corp.intel.com> (raw)
In-Reply-To: <a63e3bae-0fe1-1f52-88b6-d9c53c38f306@windriver.com>

On Tue, 29 Nov 2016 10:45:51 Robert Yang wrote:
> On 11/29/2016 09:57 AM, Khem Raj wrote:
> >> On Nov 24, 2016, at 10:59 AM, Paul Eggleton
> >> <paul.eggleton@linux.intel.com> wrote:>> 
> >> On Thu, 24 Nov 2016 08:46:29 Patrick Ohly wrote:
> >>> On Thu, 2016-11-24 at 11:38 +0800, Robert Yang wrote:
> >>>> Currently, debug-tweaks is in EXTRA_IMAGE_FEATURES by default for poky,
> >>>> and
> >>>> there is no passwd, so that user can login easily without a passwd, I
> >>>> think
> >>>> that current status is more unsafe ?
> >>> 
> >>> Both well-known password and no password are unsafe. User "root" with
> >>> password "root" is not even "more" safe already now, because tools that
> >>> brute-force logins try that. Choosing something else would be a bit
> >>> safer for a short while until the tools add it to their dictionary.
> >>> 
> >>> Poky is also targeting a different audience than OE-core. Poky can
> >>> assume to be used in a secure environment, OE-core can't (because it
> >>> might be used for all kinds of devices).
> >> 
> >> I don't think that's part of the design goals on either side, it's simply
> >> about making development easier. The feature is clearly labelled "debug-
> >> tweaks" because it's for debugging not for production. It could be that
> >> we
> >> should make it do other things like append a notice to /etc/issue to
> >> avoid
> >> people leaving it on for production, if that is a concern.
> > 
> > Sometimes such goals can lead to problems. Making development easier by
> > all means if you can ensure a hard error on production e.g. debug-tweaks
> > can then never be part of production images. Otherwise someone will
> > forget it and it will be discovered on millions of devices in field along
> > with the user project will be red-faced.

Right. FWIW in mitigation I did write the raw material for the following
section of the YP manuals, though I don't know how many people have ended
up reading it:

http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure

In there there is an explicit mention of disabling debug-tweaks. Looking
around the place it could be that we need more warnings about this being
on by default though.

> Will something like IMAGE_FEATURES += "production" help here ? 

I'd like to see something like this - at least give the user some way of
saying "I really am in production now, so error out on anything that I
shouldn't be doing there". I wonder if it potentially goes further than
just conflicting with things like debug-tweaks and empty-root-password.

> We may also need something like IMAGE_FEATURES += "test" to make it can work
> with -ctestimage.

Not sure I follow your reasoning here - can you explain what this feature
would do?

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre