The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting root on Linux

> Brian> Can we adjust LILO to ship with the password enabled by
> Brian> default, then? Presumably it can be set to requires password
> Brian> with no password being set so that it is simply impossible to
> Brian> boot with parameters without manually setting a password (or
> Brian> disabling it).
> 
>         I am all for security, generally, but I think that the
>  requirement for the password should not be set unless the password
>  has been set by the user. (I would hate it if on upgradng LILO, I
>  can't get back into my machine when things fail).
> 
>         You can't ram security down peoples throats. Also, security is
>  always a matter of trade offs, and we should think carefully before
>  assuming what tradeoffs are ``right''.
> 
>         The lilo config should mention this in loud, screaming banner
>  headlines, maybe. But systems should not ship such that the customer
>  can't get to the machine after misconfiguring xdm.
> 
>         Also, this level of security may not be required in many
>  cases, for dial-up machines in peoples homes (if you get to my
>  keyboard, data security is least of my worries).
> 
>         I would suggest we modfy liloconfig to ask for, and set, a
>  password, if the user so wishes, but never to require a password with
>  no password provided.

I can understand this, but making an invalid password wouldn't actually
make the system completely sealed since a user could still get to it by
using the original rescue floppy.

Either way, something needs to be done such that the user is at least made
aware of this.  Having the LILO config ask for a password the first time it
is installed is probably as good a solution as any.

Or, perhaps LILO could be modified such that it only needs the password
for options like 'init' and 'root', but not 'single' since that is already
covered by Debian's /usr/sbin/sulogin.

                                          Brian
                                 ( bcwhite@verisim.com )

-------------------------------------------------------------------------------
If you have a 50% chance of guessing right, you'll guess wrong 75% of the time.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .