On Tue, Jul 20, 2004 at 04:21:33PM +0100, Dennis Dryden wrote:
Why should a home user need a password to login to there own machine? I understand the need for security on a public use machine that has more then one user account or on a machine that allows remote logins but does a simple home user need multiple accounts or remote logins? I wouldn't think this was good for a normal distribution but for a home use distro it makes sense.
Ok, Imagine a scenario, you share a machine with your brother and you each have a login "dennis" and "john" both of these accounts have no password. Now john is visits a website and unknown to him the web browser he is running has a security hole and the remote website sends some data to your machine which exploits this security hole.
Now, it deletes all of his data, but because the exploit is clever it also checks for other users and knowing that they don't have passwords deletes their data also. It is also a good idea to get people into the habit of using decent password and you never know when something somewhere will have a security exploit that causes people to be able to break into your machine. Just because you don't have remote logins setup doesn't mean people can't get exploit some other bit of software to give them a shell, it could be that they exploit the webserver and manage to get a shell, but hopefully that webserver will only allow them some very unprivileged access to the system as the user the webserver was running as. If you then have a shell and accounts with no password you can circumvent them to give you more access to the system (and once I am running as you I pop up a box when you login saying "please enter the root password for system maintenance" and then use your machine to attack+infect other machines etc. etc.
Adam