[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sash (was Re: demo vs. real package: FYI (was ...))



On Sun, Sep 19, 1999 at 10:53:01PM -0400, Raul Miller wrote:
> Raul Miller wrote:
> > > They don't touch the root account.  Instead, they clone
> > > it as sashroot and set the shell on the cloned account.
> > > 
> > > This is mentioned in the package description.
> 
> On Sun, Sep 19, 1999 at 03:39:30PM -0700, Joey Hess wrote:
> > I suppose you have considered the security problems, if root forgets
> > to change that password when they change the main root one?
> 
> Yes I did.
> 
> There's not a lot I can do about this beyond advising the sysadmin that
> it's a good idea.

Will this affect people who upgrade?  It would be very unpleasant to upgrade
from slink and have a new root user.

Even for new installs, I disagree with your decision.  sash is useful
without another root account; however you require users who wish to use it
this way to read your documentation on undoing the damage (which you
hopefully provide) and take the (hopefully small) risk that you mess up the
passwd file.

My opinion on prompting in the postinst is that, for all its disadvantages,
there is a legitimate place for it within the current system.  One question
on sash install (not upgrade) would be fine if there is no clear default.

Andrew

-- 
Don't forget that Linux became only possible because 20 years of OS
research was carefully studied, analyzed, discussed and thrown away.
- kernel hacker Ingo Molnar


Reply to: