Karel Zak wrote:
Hi all,
https://github.com/karelzak/util-linux/pull/200
this is Martin's request for a change to sulogin.
It seems that Debian for last 10 years uses modified sulogin to
don't ask for password when /etc/shadow contains '!' or '*' as
root password.
From my point of view the request makes sense, because otherwise it's
impossible to enter shell in emergency more. BUT it also means that
systems with locked root accounts are less secure.
(Note that bootloader maybe password protected and access to console
does not always mean physical access to machine in all situations (locked
racks, console exported over network, virtual machines, etc.))
Any security objections, comments?
Do we want this feature enabled by default or do we need extra
command line/compile option?
Perhaps it's security by obscurity, but doesn't this tell a malicious user
immediately that the account is locked and to move on to another user id to try?
-- Bruce Dubbs
linuxfromscratch.org
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
