Jason R. Thorpe wrote:
> 
> In a situation where there _was_ pilot error, I think there's an argument
> to be made for recoverability... 
> 
> Well, "you're the boss" with the security stuff... if you really strongly
> object to it, it can be backed out.

Well, if we won't allow root to login in *single-user* because it
has no password, then why in all hell do we let it login in *multi-user*
with no password?  Certainly the 'insecure' wouldn't allow a no password
login on the console, but that is not the only way to use a root account
with no password.  So I configure my machine with "secure" root login
on a serial port or somesuch, and mark the console insecure.  Gee, once
I drop to single-user, my serial port is *dead*, and my inadvertent no
password on root won't allow me in.
Basically what I'm saying is:
  If with an 'insecure' console we allow single-user with the root password,
  then we should allow single-user if the root password is *blank*.

I would think this falls under the principle of least astonishment.  Why
"pretend" to have some security for single-user when there isn't even a
password on root?

-Andrew