Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Root login by default #836

Closed
deosrc opened this issue Jul 13, 2021 · 2 comments
Closed

[Security] Root login by default #836

deosrc opened this issue Jul 13, 2021 · 2 comments

Comments

@deosrc
Copy link

deosrc commented Jul 13, 2021

I am using VenusOS on a Raspberry Pi for testing purposes and it seems that the default account setup is against security best practices:

  • Root login should be disabled with all access which requires root done through sudo
  • A standard user should be configured for normal access (e.g. pi)
  • A default password may be provided but it should be forcibly changed on first login
  • Auto-login should be disabled by default
  • The documentation should recommend changing the password

As it is at the moment, there are likely many devices running VenusOS with unsecured root privileges available by default.

It would also be beneficial to add a security policy to this repo so that vulnerabilities such as this can be highlighted in private while they are addressed: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

@jhofstee
Copy link
Contributor

  • ssh and root login is disabled by default, unless you have physical access
  • there is no password at all, you need to set it first or have physical access
  • autologin is fine for physical access, you can take out the sdcard as well to get access
  • you have to change the password, because the root user doesn't even allow logging in with a password by default

@deosrc
Copy link
Author

deosrc commented Jul 16, 2021

Sorry but I do not agree with the above. The only barrier to root level access should not be physical access. Even in data centres with strict physical access controls, root auto-login would be a major security issue. VenusOS may be used in remote locations where physical security is not easily monitored or controlled. Breaches of security (and possibly damage to hardware due to malicious configuration) could be a very real risk if the OS is not secured correctly.

As a minimum, the documentation should be specific with a warning that root without any credentials is configured by default for physical access and that steps should be taken to secure this if physical security is insufficient.

The point of adding a security policy to the repo has also not been addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants