Sorry but I do not agree with the above. The only barrier to root level access should not be physical access. Even in data centres with strict physical access controls, root auto-login would be a major security issue. VenusOS may be used in remote locations where physical security is not easily monitored or controlled. Breaches of security (and possibly damage to hardware due to malicious configuration) could be a very real risk if the OS is not secured correctly.
As a minimum, the documentation should be specific with a warning that root without any credentials is configured by default for physical access and that steps should be taken to secure this if physical security is insufficient.
The point of adding a security policy to the repo has also not been addressed.
I am using VenusOS on a Raspberry Pi for testing purposes and it seems that the default account setup is against security best practices:
sudopi)As it is at the moment, there are likely many devices running VenusOS with unsecured root privileges available by default.
It would also be beneficial to add a security policy to this repo so that vulnerabilities such as this can be highlighted in private while they are addressed: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
The text was updated successfully, but these errors were encountered: