On 11/24/2016 11:18 AM, Paul Eggleton wrote:
On Thu, 24 Nov 2016 10:01:59 Robert Yang wrote:
On 11/23/2016 07:16 PM, Patrick Ohly wrote:
On Tue, 2016-11-22 at 23:49 -0800, Robert Yang wrote:
[YOCTO #10710]
Otherwise, we can't login as root when debug-tweaks is not in
IMAGE_FEATURES, and there is no other users to login by default, so
there is no way to login.
Wait a second, are you really suggesting that OE-core should have a
default root password in its default configuration?
That's very bad practice and I'm against doing it this way. Having a
default password is one of the common vulnerabilities in actual devices
on the market today. OE-core should make it hard to make that mistake,
not actively introduce it.
So if you think that having a root password set (instead of empty), then
at least make it an opt-in behavior that explicitly has to be selected.
Make it an image feature so that images with and without default
password can be build in the same build configuration. Changing
base-passwd doesn't achieve that.
Even then I'm still wondering what the benefit of a well-known password
compared to no password is. Both are equally insecure, so someone who
wants to allow logins might as well go with "empty password".
The problem is that when debug-tweaks or empty-root-password is not in
IMAGE_FEATURE, there is no way to login by default, which will surprise
the user. How about:
1) Let user can set root passwd via a variable when building.
Or/And
2) Warn the user at build time when the image is unable to login.
There are problems with both of these:
1) I'm concerned that by making it trivially easy this will encourage users to
set a root password and forget they have done so. This may lead to yet more
products going out with default root passwords, and that is not a good thing.
2) Having no root password in this scenario is not necessarily a mistake, it
may be intentional. If nobody ever needs to log into your device via a
terminal, then why would you need a root password set at all? In that scenario
you wouldn't want to be implying "this could be wrong, you should set a root
password".
Hi Paul,
Currently, debug-tweaks is in EXTRA_IMAGE_FEATURES by default for poky, and
there is no passwd, so that user can login easily without a passwd, I think
that current status is more unsafe ? And when user realizes this, he
wants to add a passwd, but sorry, there is no easy way.
The anaconda installer's (used by Redhat) kickstart file can easily sets
a passwd, you can even set an un-encrypted password, are there many complains
about that ? When people can get your device (hardware), it's hard to prevent
people login you device.
// Robert
If we need more documentation around this so that people understand how this
aspect works (and I don't doubt that we do, people do ask about it) then by
all means we should improved the documentation.
Cheers,
Paul
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
