[Freedombox-discuss] Why four users with passwords on the freedombox?
pere at hungry.com
Mon Mar 17 08:10:21 UTC 2014
[Petter Reinholdtsen 2013-09-10]
> The current freedom-maker build setup for dreamplug set up three unix
> users in /etc/passwd with a valid password, and plinth include another
> user in its user database to log into plinth. Why is this? Having
> users with valid passwords that are not regularly used is a security
> problem, and it seem to me a better idea to avoid setting passwords
> for most of these. The users in questions are:
The situation is still bad, but slightly better. The plinth unix user
is now created by the plinth package, and no longer have a password.
And the admin user in the plinth user interface no longer exist. But
there are still two unix users with known passwords on the freedombox:
root / freedom
fbx / frdm
> At the moment plinth run as the www-data user, perhaps it should be
> changed to run as the plinth user, and the plinth user be created as a
> system user without a valid password?
The plinth process now seem to run as user root according to 'ps -ef'
(and not www-data any more), but no longer have a valid password. Can
it be changed to run as a non-privileged user?
> All of them run with publicly known passwords. I suspect we should
> rewrite the first-page module in plinth to ask for username and
> password and create the administrative user instead of providing one
> hardcoded into plinth.
The first-page module now ask for a username and password, and this is
the only user available in the plinth web interface after initial setup.
> What is the point of having both the users root and fbx? Is it not
> enough with one normal user, and set up sudo for this user to get root
> access, or perhaps disable it completely and depend on some plinth GUI
> to set the password on a regular unix user?
I still wonder about this. :)
More information about the Freedombox-discuss