root password required for basic troubleshooting

M. Edward (Ed) Borasky znmeb at znmeb.net
Tue Jan 27 00:20:43 UTC 2015


On Mon, Jan 26, 2015 at 3:29 PM, Chris Murphy <lists at colorremedies.com> wrote:
> On Mon, Jan 26, 2015 at 3:23 PM, M. Edward (Ed) Borasky <znmeb at znmeb.net> wrote:
>
>> It's been a while since I installed openSUSE but my recollection is
>> that the default is to set the root password to the same value as the
>> user password. You can uncheck that and use another password. Also,
>> the non-root user is *not* in the 'wheel' group by default IIRC.
>
> That is true, the admin checkbox isn't checked by default in the
> installer, but I think gnome-initial-setup adds the user to wheel.
> g-i-s only comes up if a user wasn't created in the installer. This is
> consistent with Windows and OS X too, the first user is an admin.
>
>>
>> I'd go that route - require a root password but give the user the
>> option to copy the administrator password to 'root'.
>
> I think this is reasonable for Workstation, but I'm also really anti
> forcing users to follow password rules for root. So as long as tying
> the first user password to root doesn't then cause ridiculous security
> theater rules to be enforced on the user, great. Again as point of
> reference Windows and OS X don't have such limitations. I think it's
> fine to warn the user if their password is a dictionary word or
> whatever best practices is for warnings. I would sooner consider it
> more appropriate if the UI were to resort to name calling than
> enforcing specific password rules.
>
>
> --
> Chris Murphy
> --
> desktop mailing list
> desktop at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/desktop

It depends a lot on the threat model. Users don't do as much threat
modeling as they should; in the case of Windows they sorta trust
Microsoft but they also buy virus protection they don't need and fall
for scams distressingly often.

Case in point - I recently installed the Windows 10 tech preview in a
VM. In the process of using *Bing search* I accidentally enabled a
nasty piece of scareware called Vosteran. What's worse, Microsoft
seems to have recorded that in its cloud for me as an IE default - I
reformatted the hard drive and reinstalled and when I opened IE up
again, Vosteran was still there!

So I say enforce strong passwords, close *all* the ports on a
workstation (including ssh - I had some bad guy in Hong Kong trying to
get into my system recently) and teach users how to be safe. Make the
rootkit detectors available and well-documented, etc.

-- 
OSJourno: Robust Power Tools for Digital Journalists
http://www.znmeb.mobi/stories/osjourno-robust-power-tools-for-digital-journalists

Remember, if you're traveling to Bactria, Hump Day is Tuesday and Thursday.


More information about the desktop mailing list