Re: [PATCH 2/2] base-passwd: set root's default password to 'root'

From: Robert Yang <liezhi.yang@windriver.com>
To: Paul Eggleton <paul.eggleton@linux.intel.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 2/2] base-passwd: set root's default password to 'root'
Date: Thu, 24 Nov 2016 11:38:39 +0800	[thread overview]
Message-ID: <27dbd493-5b76-657f-8a1d-57eabe9eebed@windriver.com> (raw)
In-Reply-To: <1525289.rQK3S6YPkZ@peggleto-mobl.ger.corp.intel.com>

On 11/24/2016 11:18 AM, Paul Eggleton wrote:
> On Thu, 24 Nov 2016 10:01:59 Robert Yang wrote:
>> On 11/23/2016 07:16 PM, Patrick Ohly wrote:
>>> On Tue, 2016-11-22 at 23:49 -0800, Robert Yang wrote:
>>>> [YOCTO #10710]
>>>>
>>>> Otherwise, we can't login as root when debug-tweaks is not in
>>>> IMAGE_FEATURES, and there is no other users to login by default, so
>>>> there is no way to login.
>>>
>>> Wait a second, are you really suggesting that OE-core should have a
>>> default root password in its default configuration?
>>>
>>> That's very bad practice and I'm against doing it this way. Having a
>>> default password is one of the common vulnerabilities in actual devices
>>> on the market today. OE-core should make it hard to make that mistake,
>>> not actively introduce it.
>>>
>>> So if you think that having a root password set (instead of empty), then
>>> at least make it an opt-in behavior that explicitly has to be selected.
>>> Make it an image feature so that images with and without default
>>> password can be build in the same build configuration. Changing
>>> base-passwd doesn't achieve that.
>>>
>>> Even then I'm still wondering what the benefit of a well-known password
>>> compared to no password is. Both are equally insecure, so someone who
>>> wants to allow logins might as well go with "empty password".
>>
>> The problem is that when debug-tweaks or empty-root-password is not in
>> IMAGE_FEATURE, there is no way to login by default, which will surprise
>> the user. How about:
>>
>> 1) Let user can set root passwd via a variable when building.
>>
>> Or/And
>>
>> 2) Warn the user at build time when the image is unable to login.
>
> There are problems with both of these:
>
> 1) I'm concerned that by making it trivially easy this will encourage users to
> set a root password and forget they have done so. This may lead to yet more
> products going out with default root passwords, and that is not a good thing.
>
> 2) Having no root password in this scenario is not necessarily a mistake, it
> may be intentional. If nobody ever needs to log into your device via a
> terminal, then why would you need a root password set at all? In that scenario
> you wouldn't want to be implying "this could be wrong, you should set a root
> password".

Hi Paul,

Currently, debug-tweaks is in EXTRA_IMAGE_FEATURES by default for poky, and
there is no passwd, so that user can login easily without a passwd, I think
that current status is more unsafe ? And when user realizes this, he
wants to add a passwd, but sorry, there is no easy way.
The anaconda installer's (used by Redhat) kickstart file can easily sets
a passwd, you can even set an un-encrypted password, are there many complains
about that ? When people can get your device (hardware), it's hard to prevent
people login you device.

// Robert

>
> If we need more documentation around this so that people understand how this
> aspect works (and I don't doubt that we do, people do ask about it) then by
> all means we should improved the documentation.
>
> Cheers,
> Paul
>