Default user decisions

Subject: Default user decisions
From: tzafrir.cohen at xorcom.com (Tzafrir Cohen)
Date: Mon, 28 Apr 2008 09:42:46 +0300
Message-id: <[🔎] 20080428064246.GG27523@xorcom.com>
In-reply-to: <[🔎] 20080427231531.GA21558@Clio.twb.ath.cx>
References: <[🔎] 481442B2.6020605@debian.org> <[🔎] 20080427093810.GC27523@xorcom.com> <[🔎] 20080427110959.GA7668@Clio.twb.ath.cx> <[🔎] 20080427120034.GD27523@xorcom.com> <[🔎] 20080427231531.GA21558@Clio.twb.ath.cx>

On Mon, Apr 28, 2008 at 09:15:33AM +1000, Trent W. Buck wrote:
> On Sun, Apr 27, 2008 at 03:00:34PM +0300, Tzafrir Cohen wrote:
> > > Instead of having a static, predictable, easy-to-crack password, I
> > > would suggest taking these steps:
> > 
> > Here you assume that someone will actually bother to take action with a
> > live CD. Users expect it to "Just Work[tm]".
> 
> I'm advocating a negligible amount of extra work for the live-helper
> user, not the *end* user.
> 
> > >   (Last time I
> > >   checked, this is merely a matter of whether 13home and a couple of
> > >   other scripts are present in live-initramfs.)
> > > 
> > > - possibly, prompt for confirmation at build time if BOTH 1) the guest
> > >   user is enabled; AND 2) any "blacklisted" packages
> > >   (e.g. openssh-server) are installed.  Something like
> > > 
> > >     openssh-server is to be installed, but the insecure guest user is
> > >     enabled, with a predictable username and password.  Do you accept
> > >     this gaping security hole?
> > 
> > There is a pretty good chance that the user will not be at the console
> > more than necessary[*]. Such a propmt will needlessly stall the boot
> > (recall you have to do it before sshd starts)
> 
> As before, I am talking about live-helper users (you), not end users
> (your customers).

So please re-read my mail and tell me where do you think extra work can
help. As I have already mentioned, none of the proposals for extra work 
for me actually helps the end user.

I want to just be able to boot the CD and access the system remotely. In
such a case there is simply nothing that sets apart a legitimate user
from one that isn't.

I also expect a typical system to be up for a pretty short time, and
hence the impact of a malicious take-over is significantly reduced.

> 
> > As a rule, "asking the user" is something I hope to avoid with the live
> > CD. Normally such solutions are just not applicable, and the default
> > have to work.
> > 
> > > 
> > > I'm not sure if the third point is worthwhile, since various network
> > > layouts make different packages worthy of blacklisting.  That is, the
> > > blacklist is bound to have a bunch of false positives and negatives.
> > 
> > [*] As for "more than necessary" - what does it take to boot to the CD
> > automatically after a timeout of, say, 60 seconds?

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

Reply to:

Follow-Ups:
- Default user decisions
  - From: will.murnane at gmail.com (Will Murnane)
- Default user decisions
  - From: maarten at treewalker.org (Maarten ter Huurne)

References:
- Default user decisions
  - From: daniel at debian.org (Daniel Baumann)
- Default user decisions
  - From: tzafrir.cohen at xorcom.com (Tzafrir Cohen)
- Default user decisions
  - From: trentbuck at gmail.com (Trent W. Buck)
- Default user decisions
  - From: tzafrir.cohen at xorcom.com (Tzafrir Cohen)
- Default user decisions
  - From: trentbuck at gmail.com (Trent W. Buck)

Prev by Date: Rescue flavor improvements
Next by Date: Rescue flavor improvements
Previous by thread: Default user decisions
Next by thread: Default user decisions
Index(es):
- Date
- Thread