> thorpej made cvs say:
>    If root has no password, don't lock the operator out of single-user
>    mode if the console is "insecure".

> i'm not sure i like this, from a `security' point of view.  if i have
> marked the console as insecure, then by hell i want netbsd to do it's
> best to keep the bad guys out!  and that includes *me* until i
> authenticate myself

How do you propose to authenticate yourself in this situation?  Someone
(presumably you) has configured the system to not require
authentication for root; why should init demand any?

What _should_ init do?  Prompt for a username and password, until
someone gives a username that is su-acceptable (per the rules su uses
wrt group wheel's existence and membership) and the correct password
for it?  (Since any such user could log in and would need no password
to su.)

> IMO, `insecure console' and `no root password' situations are
> generally going to be caused by pilot error,

True.  How can the pilot recover?  IMO, "no root password" is not
compatible with any significant degree of security; I think thorpej was
right here.  (I'm assuming "no root password" means ::, not :*:, for
the password field.)

> security systems should *always* fail closed

True as a general principle.  How does it apply here?  Insecure console
and no root password is a somewhat confusing combination; as I implied
above, they imply diametrically opposed things about the desired level
of security....

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B