Subject: Re: NetBSD master CVS tree commits
To: None <current-users@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: current-users
Date: 02/22/1997 08:10:56
> thorpej made cvs say:
>    If root has no password, don't lock the operator out of single-user
>    mode if the console is "insecure".

> i'm not sure i like this, from a `security' point of view.  if i have
> marked the console as insecure, then by hell i want netbsd to do it's
> best to keep the bad guys out!  and that includes *me* until i
> authenticate myself

How do you propose to authenticate yourself in this situation?  Someone
(presumably you) has configured the system to not require
authentication for root; why should init demand any?

What _should_ init do?  Prompt for a username and password, until
someone gives a username that is su-acceptable (per the rules su uses
wrt group wheel's existence and membership) and the correct password
for it?  (Since any such user could log in and would need no password
to su.)

> IMO, `insecure console' and `no root password' situations are
> generally going to be caused by pilot error,

True.  How can the pilot recover?  IMO, "no root password" is not
compatible with any significant degree of security; I think thorpej was
right here.  (I'm assuming "no root password" means ::, not :*:, for
the password field.)

> security systems should *always* fail closed

True as a general principle.  How does it apply here?  Insecure console
and no root password is a somewhat confusing combination; as I implied
above, they imply diametrically opposed things about the desired level
of security....

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B