On Sat, 5 Jan 2008 14:57:44 -0700 Kevin Fenzi <kevin@xxxxxxxxx> wrote: > Well, as you say, you need to make sure we force the user to make a > regular account first, currently thats not being done. You can do a > new install and not create a user account. Problem is that you can not create unprivileged account in the installer, IIRC. You are asked whether you want to create normal user by firstboot, after system was rebooted. But that screen is usually not seen by users doing kickstart or vnc installation, as was pointed out by Tomas Mraz. So changing the default value to 'no' would mean that those users will have no way to log into newly installed systems (assuming those methods are frequently used for remote installs with no or limited physical access). But yes, it's usually good idea to change that value once you have normal account configured. > I find root ssh login handy for a number of reasons: > - You can have some family member or friend who trusts you to fix > their linux install allow your ssh key to login as root, then you > never need to know any passwords on their system or have a useless > normal account there. You may want to look at: PermitRootLogin without-password and/or forced-commands-only > > In regards to the GCC lockdowns, it was my understanding that > > sometimes hackers use our own compilers against us by logging in as > > a normal user, using gcc to build their hacktools, and then using > > the built tools to compromise root. Is this something that is no > > longer done? Just curious. As explained in other reply, with bunch of interpreters installed, this "hole" is quite hard to plug and probably not worth the effort / trouble. And if an attacker is able to download sources of his hacktools to your computer, he can probably download binaries as well. Given the small benefits of such change, this probably won't happen soon. -- Tomas Hoger -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list