David Kaufmann wrote on Tue, Nov 26, 2019 at 11:13:15AM +0100: > On Tue, Nov 26, 2019 at 09:45:44AM +0100, Dominique Martinet wrote: > > FWIW this has happened at an association I help at -- they had VMs with > > no root password set, and users created by puppet some of whom have > > sudo. > > They just expected no root password = no login possible, but it turns > > out 'su' just gave out a root shell with no password entered... > > > > It's easy to fix once I realized that, but it had been that way for > > quite a while until then; I'd definitely support removing nullok on the > > default install. > > At least with Fedora 31 the root-Password is invalid by default, so I > guess it has been set to an empty password explicitely. > I'd classify this more as a bug in the puppet-scripts, as it sounds like > it touched security relevant stuff on installation, without admins being > aware of it. Yes, definitely. I'm pretty sure puppet didn't touch it, but they must have set the root password to an empty string somewhere on deployment -- I found it now I'm looking, they run 'passwd -d root' in the image on purpose apparently (don't ask me why...), and people who had done it left and turnover happened and new people weren't aware of it. I really just wanted to answer Adam's "does it really happen?" question - it does. Would the change have been enough to make whoever removed the root password not also re-add nullok ? I don't know, but it might have made them think about it twice and reconsider doing that. In an ideal world I think most people would consider passwordless login ok if you're on the console or a physical seat, and not ok if you come from ssh or some script running somewhere (cgi or whatever). Is that attainable ? -- Dominique _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
