Once upon a time, Björn Persson <Bjorn@rombobjörn.se> said: > Chris Adams wrote: > > If the admin has done one thing to lock down the system, then they can > > do another (removing the sulogin --force addition). > > How do you propose to ensure that the admin is made aware of the need > to do that? The same way as any change - documentation. > Experienced sysadmins won't just instinctively know that in this new > release of this particular distribution they need to run this special > command to prevent boot problems from granting root access to whoever > can type on the keyboard. It's not a "special command", it's just removing an RPM that has the sulogin overrides, or just set a root password (this change only affects the case of a locked root account). Experienced sysadmins should already know that the OS changes from release to release. I don't install a brand new OS and give it to users without checking it out myself (and reading at least the release notes). This is NOT some new "hole" - out of the box, Fedora already allows someone with console access to get root access (in less convenient, but more confusing, ways). As noted in the change proposal, this change is already in Fedora CoreOS. -- Chris Adams <linux@xxxxxxxxxxx> _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure