[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] pro's and cons of not letting GUI change root password
- Subject: [cobalt-security] pro's and cons of not letting GUI change root password
- From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
- Date: Fri, 1 Mar 2002 01:41:50 +0100
- Organization: Spin in het Web (www.spininhetweb.nl)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
There has been a lot of discussion about changing the root password to let
it differ from the admin password. The mean argument was: when they got the
admin password, they won't have the root password. The argument against this
was: when the got the admin password, the can change it in the GUI, which
changes the root password as well.
In /usr/lib/perl5/site_perl/5.005/Cobalt/User.pm, in the sub user_mod, there
is this loop:
##
while (<PASSWD>)
{
if (/^$Adminuser:/o)
{
print PTMP "$name:$pass:$uid:$gid:$desc:$dir:$shell\n";
}
elsif (/^root:/o)
{
print PTMP "root:$pass:0:0:Root:/root:/bin/sh\n";
}
else
{
print PTMP;
}
}
##
By commenting out the line starting with
print PTMP "root:
I will make sure the root password will not change when I change the admin
password in the GUI.
I can only come up with 2 reasons why this is a bad idea:
- locking out if root password forgotten.
- warranty-issues (well...)
My questions:
- Are there more arguments against doing this?
- Will the button on the frontpanel still work, as to reset the root
password? Or is this only for admin?
Thanks,
Jelmer
-----------------------------------------------------------------
Jelmer Jellema - Spin in het Web
www.spininhetweb.nl
Spin in het Web: Alle Touwtjes In Handen
-----------------------------------------------------------------
Spin in het Web is de producent van:
www.visinhetnet.nl: Niet Het Laatste Nieuws