On Thu, 24 Nov 2016 10:01:59 Robert Yang wrote: > On 11/23/2016 07:16 PM, Patrick Ohly wrote: > > On Tue, 2016-11-22 at 23:49 -0800, Robert Yang wrote: > >> [YOCTO #10710] > >> > >> Otherwise, we can't login as root when debug-tweaks is not in > >> IMAGE_FEATURES, and there is no other users to login by default, so > >> there is no way to login. > > > > Wait a second, are you really suggesting that OE-core should have a > > default root password in its default configuration? > > > > That's very bad practice and I'm against doing it this way. Having a > > default password is one of the common vulnerabilities in actual devices > > on the market today. OE-core should make it hard to make that mistake, > > not actively introduce it. > > > > So if you think that having a root password set (instead of empty), then > > at least make it an opt-in behavior that explicitly has to be selected. > > Make it an image feature so that images with and without default > > password can be build in the same build configuration. Changing > > base-passwd doesn't achieve that. > > > > Even then I'm still wondering what the benefit of a well-known password > > compared to no password is. Both are equally insecure, so someone who > > wants to allow logins might as well go with "empty password". > > The problem is that when debug-tweaks or empty-root-password is not in > IMAGE_FEATURE, there is no way to login by default, which will surprise > the user. How about: > > 1) Let user can set root passwd via a variable when building. > > Or/And > > 2) Warn the user at build time when the image is unable to login.
There are problems with both of these: 1) I'm concerned that by making it trivially easy this will encourage users to set a root password and forget they have done so. This may lead to yet more products going out with default root passwords, and that is not a good thing. 2) Having no root password in this scenario is not necessarily a mistake, it may be intentional. If nobody ever needs to log into your device via a terminal, then why would you need a root password set at all? In that scenario you wouldn't want to be implying "this could be wrong, you should set a root password". If we need more documentation around this so that people understand how this aspect works (and I don't doubt that we do, people do ask about it) then by all means we should improved the documentation. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
