On Tue, 29 Nov 2016 10:45:51 Robert Yang wrote: > On 11/29/2016 09:57 AM, Khem Raj wrote: > >> On Nov 24, 2016, at 10:59 AM, Paul Eggleton > >> <paul.eggle...@linux.intel.com> wrote:>> > >> On Thu, 24 Nov 2016 08:46:29 Patrick Ohly wrote: > >>> On Thu, 2016-11-24 at 11:38 +0800, Robert Yang wrote: > >>>> Currently, debug-tweaks is in EXTRA_IMAGE_FEATURES by default for poky, > >>>> and > >>>> there is no passwd, so that user can login easily without a passwd, I > >>>> think > >>>> that current status is more unsafe ? > >>> > >>> Both well-known password and no password are unsafe. User "root" with > >>> password "root" is not even "more" safe already now, because tools that > >>> brute-force logins try that. Choosing something else would be a bit > >>> safer for a short while until the tools add it to their dictionary. > >>> > >>> Poky is also targeting a different audience than OE-core. Poky can > >>> assume to be used in a secure environment, OE-core can't (because it > >>> might be used for all kinds of devices). > >> > >> I don't think that's part of the design goals on either side, it's simply > >> about making development easier. The feature is clearly labelled "debug- > >> tweaks" because it's for debugging not for production. It could be that > >> we > >> should make it do other things like append a notice to /etc/issue to > >> avoid > >> people leaving it on for production, if that is a concern. > > > > Sometimes such goals can lead to problems. Making development easier by > > all means if you can ensure a hard error on production e.g. debug-tweaks > > can then never be part of production images. Otherwise someone will > > forget it and it will be discovered on millions of devices in field along > > with the user project will be red-faced.
Right. FWIW in mitigation I did write the raw material for the following section of the YP manuals, though I don't know how many people have ended up reading it: http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure In there there is an explicit mention of disabling debug-tweaks. Looking around the place it could be that we need more warnings about this being on by default though. > Will something like IMAGE_FEATURES += "production" help here ? I'd like to see something like this - at least give the user some way of saying "I really am in production now, so error out on anything that I shouldn't be doing there". I wonder if it potentially goes further than just conflicting with things like debug-tweaks and empty-root-password. > We may also need something like IMAGE_FEATURES += "test" to make it can work > with -ctestimage. Not sure I follow your reasoning here - can you explain what this feature would do? Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
