that darned ROOT problem

Bo Grimes newslists at isp.com
Wed Sep 28 20:03:42 UTC 2005 

Janne Jokitalo wrote:

>Bo Grimes wrote:
>  
>
>>>Without root password, you at least get away with random
>>>attacks that try common usernames with passwords like 'admin',
>>>'password' or the like. You get the picture.
>>>      
>>>
>>So how does Ubuntu's way prevent that if this were the case?
>>    
>>
>
>Err... isn't it self-explanatory? There is no root password -> you cannot
>login on that account.
>  
>

OK..we're just talking past one another.  What difference does it make 
if you're not root if you have root priviledge?  I don't see how the 
initial user is any less subject to random attacks just because there's 
no root password.  Compromise any user with sudo and you compromise the 
system.

>  
>
>>>The average user joe might very well put something very simple for root's
>>>password, since there's then another thing to remember, and since everyone
>>>always warns not to use those yellow notes attached to monitor side, well... :)
>>>      
>>>
>>How is Ubuntu's way more secure if this were the case?
>>    
>>
>
>Ummm.... I get the feeling now that you just don't want to appreciate this.
>Echoing one question over and over won't get us anywhere. I'm done with this
>subject, after this email, unless you're taking this to some direction.
>  
>

I get the feeling now that you don't want to see how it could ever, 
under any circumstance, be a problem.

>  
>
>>>So you see, it's not that simple. This is a well thought-out approach, and
>>>I'd wait a long while gathering experiences before go and change it
>>>due to few people disagreeing with it.
>>>      
>>>
>>The fact here is that Ubuntu is changing it from the standard practice
>>for Linux distros, and I have 6 years and dozens of distos of experience.
>>    
>>
>
>And I'm sure many of Ubuntu's core developers have even more so, and they're
>still going by this approach. Think it's just for the heck of it?
>  
>

Oh, please.  OK...if the Ubuntu developers are the end-all of Linux 
experience, if they know better and have more experience than the SuSE 
developers and the Gentoo developers and the Mepis developers and the 
Red Hat developers and the Fedora developers and the Debian 
developers...then you MUST be right.


>I dunno, could be. Still, I'd gather some more evidence for research purposes.
>

OK, so we disagree.  I'm done too unless there's new direction.

More information about the ubuntu-users mailing list