David Kaufmann wrote on Tue, Nov 26, 2019 at 11:13:15AM +0100:
On Tue, Nov 26, 2019 at 09:45:44AM +0100, Dominique Martinet wrote:
> FWIW this has happened at an association I help at -- they had VMs with
> no root password set, and users created by puppet some of whom have
> sudo.
> They just expected no root password = no login possible, but it turns
> out 'su' just gave out a root shell with no password entered...
>
> It's easy to fix once I realized that, but it had been that way for
> quite a while until then; I'd definitely support removing nullok on the
> default install.
At least with Fedora 31 the root-Password is invalid by default, so I
guess it has been set to an empty password explicitely.
I'd classify this more as a bug in the puppet-scripts, as it sounds like
it touched security relevant stuff on installation, without admins being
aware of it.
Yes, definitely. I'm pretty sure puppet didn't touch it, but they must
have set the root password to an empty string somewhere on deployment --
I found it now I'm looking, they run 'passwd -d root' in the image on
purpose apparently (don't ask me why...), and people who had done it
left and turnover happened and new people weren't aware of it.
I really just wanted to answer Adam's "does it really happen?" question
- it does.
Would the change have been enough to make whoever removed the root
password not also re-add nullok ? I don't know, but it might have made
them think about it twice and reconsider doing that.
In an ideal world I think most people would consider passwordless login
ok if you're on the console or a physical seat, and not ok if you come
from ssh or some script running somewhere (cgi or whatever). Is that
attainable ?
--
Dominique