[LEDE-DEV] [PATCH] utils/busybox: prevent weak root passwords
David Lang
david at lang.hm
Fri Feb 17 03:44:59 PST 2017
On Fri, 17 Feb 2017, Dan Lüdtke wrote:
> Hi David,
>
> thanks for the fast response!
>
>> On 17 Feb 2017, at 11:54, David Lang <david at lang.hm> wrote:
>> But deciding that you know better than the admin of the system is not.
>
> Not that I am a fan of telling admins what to do, but do you see any chance
> that we can get an consistent and enforceable approach to *minimum*
> requirements, e.g. minimum password length? Maybe by using a configuration
> variable? Havon only the GUI enforce minimum password length and not the CLI
> is rather inconsistent (some may say useless or even confusing).
some would say useless, others would say extremely useful. Making a LEDE-only
way of doing this will be far more confusing to those of us who use many
systems.
>> you don't have any idea what the security environment is for the system, or
>> why the admin is selecting that password.
>>
>> It's not just a busybox thing to allow the root user to select a password
>> that is shorter than 'recommended', that's normal behavior on *nix systems
>> and has been for decades, even as the 'recommendations' have changed.
>
> I rather see this as a "LEDE" system not a standard *nix system, even though
> it is based on Linux and runs a Linux kernel. The question is, is this a more
> a "product" or just another Linux system?
LEDE is a Linux Distro that is optimized for "embedded" systems (Linux Embedded
Development Environment is what LEDE stands for IIRC)
There are a lot of proprietary systems out there for low resource systems, one
of the big strengths of OpenWRT and LEDE is that it IS a Linux system, which
means that Linux tools work, and software that was origionally developed for
much larger systems is available.
If you had asked people when OpenWRT started if it would ever be possible to run
a phone system on a router, they would have laughted at you, the router would
obviously be far too limited to do something like that (both in CPU and memory),
but as more powerful routers became available, the Linux compatibility meant
that Asterisk could be compiled for this CPU and "just work", no significant
development effort needed.
We are now near, or at the point where Java based tools can be run on these
devices, which will open up another world of software and tools.
So I believe that it really is important to recognize the LEDE is "just another
Linux system" and to try and avoid breaking compatibility with such systems.
> "has been for decades" is not a good argument. The others are. But that one is just not.
Breaking long-established ways of doing things has a cost. Adding a newer (and
in your opinion, better) way of doing something is just fine, but every time you
make it so that an existing way of doing something breaks, you aggrevate admins
of systems, and reduce the value of all the documentation (in print and on the
web). Sometimes there is a good enough reason to break something, but it should
always be done reluctantly.
David Lang
More information about the Lede-dev
mailing list