[Freedombox-discuss] Why four users with passwords on the freedombox?

Petter Reinholdtsen pere at hungry.com
Tue Sep 10 08:07:47 UTC 2013

The current freedom-maker build setup for dreamplug set up three unix
users in /etc/passwd with a valid password, and plinth include another
user in its user database to log into plinth.  Why is this?  Having
users with valid passwords that are not regularly used is a security
problem, and it seem to me a better idea to avoid setting passwords
for most of these.  The users in questions are:

 /etc/passwd, /etc/shadow

   root / freedom
   fbx / frdm
   plinth / config

 plinth, /var/lib/plinth/users.sqlite3 and /var/lib/plinth/users/admin

   admin / secret

At the moment plinth run as the www-data user, perhaps it should be
changed to run as the plinth user, and the plinth user be created as a
system user without a valid password?

All of them run with publicly known passwords.  I suspect we should
rewrite the first-page module in plinth to ask for username and
password and create the administrative user instead of providing one
hardcoded into plinth.

What is the point of having both the users root and fbx?  Is it not
enough with one normal user, and set up sudo for this user to get root
access, or perhaps disable it completely and depend on some plinth GUI
to set the password on a regular unix user?

Happy hacking
Petter Reinholdtsen

More information about the Freedombox-discuss mailing list