[PATCH] su: support denying accounts with blank password

Laurent Bercot ska-dietlibc at skarnet.org
Wed Oct 14 10:18:04 UTC 2015


On 14/10/2015 08:37, Natanael Copa wrote:
> using a screen and keyboard or via serial cable. he logs in as root,
> but is not asked for password or just press <enter> when asked for
> password.

  What companies usually do in this case (typically ISPs with modems
they ship to users) is set a trivial root password, such as "admin",
and disable privilege-gaining binaries entirely, except /bin/login
which checks /etc/securetty.
  It's not much harder for a non-technical user to log in with a
trivial password than with no password at all, and it ensures that
only local users can log in as root. (Of course, ISPs have their
own backdoors into those modems, but that is another story.)

-- 
  Laurent



More information about the busybox mailing list