Subject: Re: NetBSD master CVS tree commits
To: matthew green <>
From: Andrew Gillham <>
List: tech-security
Date: 02/23/1997 01:35:07
> root having no password is not synonymous to reduced security.  in many
> cases it *may* be, but, these things are not inherently related.

Correct, and root having a password is not synonymous with increased
security.  Imagine the case where someone "discovers" the root password,
but can't use it via 'su', or the console.  They can easily boot single-user
and have at it.  The point was that single-user is somewhat special, and
particularly single-user with no password should probably not be considered
the most secure.  If someone "inadvertently" changes the console to
insecure, and have only a root account, or no 'su' ability, they are instantly
hosed.  Whereas the security minded who is in a situation that he considers
"secure" with no root password, will need to do *a bit more* to actually
secure the system.  IMHO allowing physical access to the system means it
has almost zero security.  
That someone will gain access as root, zero the password, and then boot
single-user seems silly, but I guess it is a possibility.