On Fri, May 24, 2013 at 5:20 PM, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > On Fri, May 24, 2013 at 10:57:29AM -0400, seth vidal wrote: >> How about we do-away with the 'faux user which is and is not root even >> though they are a trivial unpassworded sudo away' security theater that >> amazon and ubuntu have been peddling for years now. >> >> I mean seriously - it's meaningless - let's stop pretending. > > I don't see it as a security feature (for the obvious reasons you give). > > It's more like the blade cover on a lawn mower. Sure, that's not locked and > you can easily remove it, but a large amount of normal operation -- even > sysadmin work! -- doesn't require you to stick your fingers in there. > > By not requiring a password, there's an easy-quick-release lock, and hey, > you can always 'sudo su -' if you want to mow the grass without the cover. > But it's still good practice to leave the cover on when you don't actually > need to adjust something or fix a problem. > > We're not forcing that practice on anyone (you can disable the creation of > the user in user-data, and I even include a snippet to just use root in the > cloud-ks file), but I think it's a good default. > > That Ubuntu and Amazon do a similar thing just makes it easier. I agree with Matt. Security wise it doesn't make a lot of sense. But it protects the casual user from shooting himself in the foot. What's the downside? ...Juerg > > > -- > Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@xxxxxxxxxxxxxxxxx> > _______________________________________________ > cloud mailing list > cloud@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/cloud _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud
