[Fedora-livecd-list] A French Fedora LiveCD.
Jeremy Katz
katzj at redhat.com
Mon Mar 13 21:33:37 UTC 2006
On Mon, 2006-03-13 at 22:18 +0100, Chitlesh GOORAH wrote:
> On 3/8/06, Jeremy Katz <katzj at redhat.com> wrote:
> > On Wed, 2006-03-08 at 23:26 +0530, Rahul Sundaram wrote:
> > > Jeremy Katz wrote:
> > > >On Wed, 2006-03-08 at 08:29 -0500, J. Hartline wrote:
> > > >>Provide fedora and root usernames with blank passwords. Security is not
> > > >>a concern for a Live CD
> > > >
> > > >No! Security is very much a concern here. We need to make sure we
> > > >don't start a spread of worms from our live CD.
> > > >
> > > Auto login to a non administrative user called Fedora. How is that bad
> > > for security?
> >
> > If you have ways to log in remotely, then it could allow for people to
> > log in and start running, eg, eggbots or any of a number of other things
> > if there's a blank password.
> >
> > So it's not necessarily that auto-login to a non-administrative account
> > is bad (it probably does make sense). But just that thinking "oh,
> > security isn't a concern for a live cd" is not wise.
> >
> I have a working script for autologin.
> So should I include this feature in my next build or not ?
>
> in /usr/share/gdm/defaults.conf, I've only set
> AutomaticLoginEnable=true
> AutomaticLogin=fedora
>
> So is remote login still a problem for security if i have
>
> AllowRemoteAutoLogin=false
Yes, sshd is almost certainly still installed and running.
Jeremy
More information about the Fedora-livecd-list
mailing list