> A more user-friendly setup is to allow the password to be bypassed in > case it's not set. > > This does not pose an increased security risk: > - you can already boot with `init=/sysroot/bin/bash` anyway > - anyone with physical access to a machine can probably compromise it > - you can enforce the need for a root password in single-user mode by setting it To disallow root login in normal operation, and then turn around when a problem occurs and open a root shell without any login at all, is inconsistent and will lead users to believe that their computer is more secure than it actually is. If Fedora is going to allow unauthenticated root access when there is a boot problem, then for consistency the same should be true in normal operation. Both root and other users should by default just be allowed in without any authentication – not over SSH or any kind of network access, but on local text consoles and GUI desktops. Anaconda's Root Account page should be changed to make the root account enabled and passphraseless by default, and on the User Creation page the checkbox "Require a password to use this account" should be unchecked by default. Anyone with physical access to a machine can probably compromise it, so it's pointless to ask for passphrases on the console, right? *That* would be a change that users would be aware of, unlike the one proposed in the Change proposal – and if users want to enforce the need for a passphrase, then they can set one, on user accounts as well as on the root account. When a root passphrase has been set, then that passphrase should be required in all situations – normal operation, rescue mode, single-user mode or whatever – and for consistency the same passphrase should be required in Grub before the boot parameters can be changed. A user who wants to enforce the need for a passphrase should be able to do that in one place, not three. Conversely, if it's considered correct that Anaconda forbids an open passphraseless root account and promotes setting a passphrase on the user account, then that policy should be applied consistently, even in rescue mode. This makes a root passphrase necessary so that rescue mode can work. Some day it may become possible to use a wheel user's passphrase in rescue mode. Then, and not before, can the root account be locked. In this case, Grub should also by default require root's or a wheel user's passphrase before boot parameters can be changed. That is consistent. Björn Persson
Attachment:
pgpfKgRGYDw1Q.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
