[maemo-users] Questions #3: root

From: Eero Tamminen eero.tamminen at nokia.com
Date: Fri Sep 14 16:19:32 EEST 2007

ext Thomas Leavitt wrote:
> Very cool - I'm in as root! Now this is a *real* Linux box!
> ... although, from another perspective, I find it incredibly uncool that 
> I've been walking around with a machine with a widely known default root 
> password, not knowing that I'd enabled remote access to it when I 
> installed the "ssh" package.

Whenever you install anything that opens sockets to the network,
you should really know what you're doing.  Did you check where you
got your ssh?  Was it (an older) version with known exploits?  Etc...

I was under the impression that you had to
> go through some bizarre and risky gyration to obtain root access to the 
> machine... not simply ssh to localhost!!!!! Eek?!?
> Now, another geeky question. "user" is a lame login name. I'm going to 
> assume that it is incredibly unwise to rename "user" to something 
> reasonable, like "thomas" :) ... is it possible to create a new user and 
> login using that account instead? I see (via redpill mode) that 
> "adduser" is one of the packages installed.
> I also noticed that "/etc/shells" has a long list of shells.

As these shells are not installed to the device, this is actually
a bug which you could report to Maemo Bugzilla.

> It seems 
> just slightly strange to me that, on a device this resource constrained, 
> they'd "waste" even that many "bytes" by not truncating this file... 
> makes me wonder what other potential "optimizations" haven't been done.

At least on normal desktop file system this wouldn't be an optimization,
the minimum disk block size is 512 bytes...

JFFS-2 uses fragments so in theory you might save a byte or two, but
it compresses text pretty well and compared to the content like videos, 
songs, images (which are already compressed i.e. cannot be compressed
further by JFFS-2), user guides etc, this is, well... pointless?

> I also wonder how the synaptic install package managed to add a line 
> referencing itself to /etc/sudoers... if the app installer permits 
> modifications of this sort to be made to /etc/sudoers, doesn't that 
> suggest someone could simply write an app that added the line below, or 
> write a malicious app that gave itself root privileges?

Any application you install can do *anything* in the device, the package
management works with root privileges, just like on any other Linux
(except ones using system wide security policies, I know e.g. RedHat
uses selinux to restrict what daemons open to the networks can do,
but do they use it for anything else?)

	- Eero

More information about the maemo-users mailing list