Re: sulogin: Don't ask for password when it is locked/disabled

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bruce Dubbs <bruce.dubbs@gmail.com>
To: Karel Zak <kzak@redhat.com>, Martin Pitt <martin.pitt@ubuntu.com>
Cc: util-linux@vger.kernel.org, Werner Fink <werner@suse.de>
Subject: Re: sulogin: Don't ask for password when it is locked/disabled
Date: Mon, 25 May 2015 11:06:56 -0500	[thread overview]
Message-ID: <556348A0.9020206@gmail.com> (raw)
In-Reply-To: <20150525140117.GA9697@ws.net.home>

Karel Zak wrote:
>
> Hi all,
>
> https://github.com/karelzak/util-linux/pull/200
> this is Martin's request for a change to sulogin.
>
> It seems that Debian for last 10 years uses modified sulogin to
> don't ask for password when /etc/shadow contains '!' or '*' as
> root password.
>
>>From my point of view the request makes sense, because otherwise it's
> impossible to enter shell in emergency more. BUT it also means that
> systems with locked root accounts are less secure.
>
> (Note that bootloader maybe password protected and access to console
>   does not always mean physical access to machine in all situations (locked
>   racks, console exported over network, virtual machines, etc.))
>
> Any security objections, comments?
>
> Do we want this feature enabled by default or do we need extra
> command line/compile option?

Perhaps it's security by obscurity, but doesn't this tell a malicious user 
immediately that the account is locked and to move on to another user id to try?

   -- Bruce Dubbs
      linuxfromscratch.org

next prev parent reply	other threads:[~2015-05-25 16:06 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-25 14:01 sulogin: Don't ask for password when it is locked/disabled Karel Zak
2015-05-25 16:06 ` Bruce Dubbs [this message]
2015-05-26  8:35   ` Martin Pitt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=556348A0.9020206@gmail.com \
    --to=bruce.dubbs@gmail.com \
    --cc=kzak@redhat.com \
    --cc=martin.pitt@ubuntu.com \
    --cc=util-linux@vger.kernel.org \
    --cc=werner@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.