On Fri, May 24, 2013 at 11:28 AM, Juerg Haefliger <juergh(a)gmail.com> wrote:
On Fri, May 24, 2013 at 5:20 PM, Matthew Miller
<mattdm(a)fedoraproject.org> wrote:
> On Fri, May 24, 2013 at 10:57:29AM -0400, seth vidal wrote:
>> How about we do-away with the 'faux user which is and is not root even
>> though they are a trivial unpassworded sudo away' security theater that
>> amazon and ubuntu have been peddling for years now.
>>
>> I mean seriously - it's meaningless - let's stop pretending.
>
> I don't see it as a security feature (for the obvious reasons you give).
>
> It's more like the blade cover on a lawn mower. Sure, that's not locked
and
> you can easily remove it, but a large amount of normal operation -- even
> sysadmin work! -- doesn't require you to stick your fingers in there.
>
I think there's a distinction here between two things:
1) Creating a non-root user (or any number of them) that you _can_ use.
2) Disabling root login
We can do #1 without doing #2
> By not requiring a password, there's an easy-quick-release
lock, and hey,
> you can always 'sudo su -' if you want to mow the grass without the
cover.
> But it's still good practice to leave the cover on when you don't
actually
> need to adjust something or fix a problem.
>
> We're not forcing that practice on anyone (you can disable the creation
of
> the user in user-data, and I even include a snippet to just use root in
the
> cloud-ks file), but I think it's a good default.
>
> That Ubuntu and Amazon do a similar thing just makes it easier.
I agree with Matt. Security wise it doesn't make a lot of sense. But
it protects the casual user from shooting himself in the foot. What's
the downside?
The downside is that this actually can introduce some unexpected behavior
in automated scripting that throws off novice users (and just annoys
others). Sudo strips environment settings, and for example, you lose
forwarded ssh agent settings. Sure, you can make workaround for things
like that, but I think Seth's point is that this is a fairly useless hoop
to make people jump through.
(I confess that originally I was one of the people trying to make these
images "like everyone else", but now I seem to be in the "just
annoyed"
camp on this particular one.)
Andy
...Juerg
>
>
> --
> Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <
mattdm(a)fedoraproject.org>
> _______________________________________________
> cloud mailing list
> cloud(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/cloud
_______________________________________________
cloud mailing list
cloud(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud