[PATCH] su: support denying accounts with blank password

Denys Vlasenko vda.linux at googlemail.com
Wed Oct 14 12:09:57 UTC 2015


On Wed, Oct 14, 2015 at 1:52 PM, Natanael Copa <ncopa at alpinelinux.org> wrote:
> On Wed, 14 Oct 2015 05:43:32 -0400
> Michael Conrad <mconrad at intellitree.com> wrote:
>
>> On 10/14/2015 2:37 AM, Natanael Copa wrote:
>> > The security is based on physical access. The local technician can log
>> > in without password. (in theory, if you have physical access then you
>> > have access to it all anyway). And after all, it is the "local technician"
>> > the device is supposed to protect anyway.
>>
>> Why run 'login' at all?  You can just run "agetty -l /bin/bash" from
>> init or runit and always have a shell ready.
>
> This is a valid alternative approach that has been discussed.
>
> The drawback is that if you actually want a root password you will have
> to edit /etc/inittab while with 'su' you'll only need set password.

How about running "agetty -l /path/to/script_which_execs_sh_or_login"?

#!/bin/sh
grep -q "^root::" /etc/passwd && exec sh "$@"
exec login "$@"
echo "Your PATH is borked, can't find 'login'. PATH='$PATH'"


More information about the busybox mailing list