On Tue, Nov 26, 2019 at 09:45:44AM +0100, Dominique Martinet wrote:
FWIW this has happened at an association I help at -- they had VMs
with
no root password set, and users created by puppet some of whom have
sudo.
They just expected no root password = no login possible, but it turns
out 'su' just gave out a root shell with no password entered...
It's easy to fix once I realized that, but it had been that way for
quite a while until then; I'd definitely support removing nullok on the
default install.
At least with Fedora 31 the root-Password is invalid by default, so I
guess it has been set to an empty password explicitely.
I'd classify this more as a bug in the puppet-scripts, as it sounds like
it touched security relevant stuff on installation, without admins being
aware of it.
All the best,
David