Skip to content
Permalink
Browse files
Set a default root password. 
This will prevent root login with an empty password on a fresh Arch Linux
installation.

This is only about the default behaviour, you could restore the previous one by
running `passwd -d root'.
Please note, this is not recommended and behave inconsistenly between
applications.

We use a trick in the shadow file to set a default password which never allow
login by using this password.

The special value '*' is used in the shadow file.
We don't use '!', '!!', '!*' on purpose.
The special '!' char, which should mean password locked (and not account locked)
is interpreted by some applications (e.g. sshd) as an account locked and will
prevent root login.

This change was suggested by Lennart Poettering and Zbigniew Jedrzejewski-Szmek
to security@archlinux.org.

git-svn-id: file:///srv/repos/svn-packages/svn@382685 eb2447ed-0c53-47e4-bac8-5bc4a241df78
  • Loading branch information
@seblu
seblu authored and svntogit committed May 7, 2020
1 parent afb7b91 commit 0320c90
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 trunk/PKGBUILD
View file
@@ -34,7 +34,7 @@ md5sums=('5fa6674df7645d7f5895f2d12b4ef4e9'
'7b208a630a548740e0f4cd368badae23'
'0ee015fad07732676d9488ae498eed41'
'f04bcb2803afc4dcb95670fe87343b4d'
'f64466dd77c7bec37a8b47681468211a'
'815652599be54fd3607cf276e89a0a19'
'a78cd8d7f8240a8448edee82f503c34e'
'a51847c012555c843dbdf8df0da171d3'
'af7832eabaac9804c22f1f2b53816a49'
2 trunk/shadow
View file
@@ -1 +1 @@
root::14871::::::
root:*:14871::::::

2 comments on commit 0320c90

@Torxed
Copy link
Member

@Torxed Torxed commented on 0320c90 Aug 20, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@seblu A change like this deserves an update to the wiki page (and possibly the "manual intervention step" news feed for the many people who have installation scripts, although this is just wishful thinking on my part) so that it's clear that it's a mandatory step unless you created a sudo enabled user. Otherwise setting a root password isn't strictly necessary. But failing to mention or warn (especially new users) that this is a required step can cause many hours of debugging and wondering why nothing is working when trying to login with root, because *"I never set a root password? is there a default one? Why isn't this working?"-scenario.

2020-08-20-082715_1497x183_scrot

It's a good change, and a welcome one. But the information going out was very relaxed.

@Torxed
Copy link
Member

@Torxed Torxed commented on 0320c90 Aug 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll also add that the sudo section of the wiki strongly warns that you can lock yourself out.. This is now default behavior without any such warnings. (again talking about the relax nature of the installation guide failing to mention this with the same dignity as the sudo section does).

2020-08-20-082640_1496x322_scrot

Please sign in to comment.