[Freedombox-discuss] Why four users with passwords on the freedombox?

[Petter Reinholdtsen]

[Petter Reinholdtsen 2013-09-10]
> The current freedom-maker build setup for dreamplug set up three unix
> users in /etc/passwd with a valid password, and plinth include another
> user in its user database to log into plinth.  Why is this?  Having
> users with valid passwords that are not regularly used is a security
> problem, and it seem to me a better idea to avoid setting passwords
> for most of these.  The users in questions are:

The situation is still bad, but slightly better.  The plinth unix user
is now created by the plinth package, and no longer have a password.
And the admin user in the plinth user interface no longer exist.  But
there are still two unix users with known passwords on the freedombox:

  /etc/passwd, /etc/shadow

    root / freedom
    fbx / frdm

> At the moment plinth run as the www-data user, perhaps it should be
> changed to run as the plinth user, and the plinth user be created as a
> system user without a valid password?

The plinth process now seem to run as user root according to 'ps -ef'
(and not www-data any more), but no longer have a valid password.  Can
it be changed to run as a non-privileged user?

> All of them run with publicly known passwords.  I suspect we should
> rewrite the first-page module in plinth to ask for username and
> password and create the administrative user instead of providing one
> hardcoded into plinth.

The first-page module now ask for a username and password, and this is
the only user available in the plinth web interface after initial setup.

> What is the point of having both the users root and fbx?  Is it not
> enough with one normal user, and set up sudo for this user to get root
> access, or perhaps disable it completely and depend on some plinth GUI
> to set the password on a regular unix user?

I still wonder about this. :)

-- 
Happy hacking
Petter Reinholdtsen