Bug 999126

Summary: The root user should be created with no password by default
Product: [Fedora] Fedora Reporter: Jóhann B. Guðmundsson <johannbg>
Component: setupAssignee: Ondrej Vasik <ovasik>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: ovasik, pknirsch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-22 10:52:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jóhann B. Guðmundsson 2013-08-20 19:07:03 UTC 
Description of problem:

The root user should be created with no password by default which should save several lines in installer/spins code and ks files. 

If you have physical access to the machine you can always bypass set root password anyway so not defaulting to empty/no root password is just security through obscurity. 

The only reason as I see not to do this is because we ship ssh enabled by default of the dvd which we arguably should not be doing since it leaves the user in question instantly open to brute-force attacks without him not knowing anyway since we have nothing in place to notify him of it when it happens.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ondrej Vasik 2013-08-21 06:35:07 UTC 
I don't think this is a good idea. Feel free to bring it up on fedora devel list, otherwise I'll probably close that WONTFIX. Installer handles root user anyway, so changing default /etc/shadow is probably insufficient. I'll try to monitor the thread on fedora-devel, but feel free to post the link here to ensure this.
Comment 2 Jóhann B. Guðmundsson 2013-08-21 10:52:58 UTC 
So basically I'm working on delivering the best container creation out of the box for administrators in fedora/rhel where we create machine containers without the involvement of installer et all which is the reason for this request as well as the lack of the .bash* files in root's home directory which is the other bug I filed. 

I guess if you got F20/rawhide install handy somewhere ( or simply create a vm ) you can setup a test machine container to play with these quick and dirty directions. 

Due to bug in audit it's necessary to disable it for OS containers
So start by disabling audit on the container host by adding audit=0 to GRUB_CMDLINE_LINUX in /etc/default/grub and run grub2-mkconfig -o /boot/grub2/grub.cfg to re-generate grub

( perfect admin step would start here )
Create the container directory 

# mkdir -p /containers/www.example01.com

Install into it minimal package set ( you can also install debian and soon arch since the arch installer pacman is being submitted for package review in Fedora )

# yum -y --releasever=rawhide --nogpg --installroot=/containers/www.example01.com --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal procps-ng

then spawn the container and set the machine hostname 

systemd-nspawn -jbD /containers/www.example01.com/ -M www.example01.com
( perfect admin steps for setup would stop here )

Now you start encountering series of bugs to fix... 

Login prompt does not show full hostname so when you log into the containers which both start with www.fqdn you dont know which host you are working on.
( which needs to be fixed consistently across the board login/command prompt ) 

You cannot log in since there is no default or empty password for root. 
There are no .bash* files in roots home directory so you need to workaround that by chrooting into the container, set the password and copy the /etc/skel files to root's home directory as well as to disable pam_loginuid.so to disable in /etc/pam.d/login so users can log in.


So bugs just to be able to install run and log into os container that need to be fixed are.. ( then there is probably plethora of bugs outside that minimum )

a) audit should not have to be disabled #893751
b) unit file for the container should not have to be manually created #999120 	
c) pam_loginuid.so should not have to be disabled in /etc/pam.d/login #999450
d) serial and getty should show long hostname #999068 	
e) bashrc should default to show long hostnames #999086
f) contents of /etc/skel should be copied to roots home directory for proper bash prompt #999114
d) root password should arguably be empty by default #999126 ( this one )

Once we have fixed the above we can start focusing on other fallouts we might come across
Comment 3 Jóhann B. Guðmundsson 2013-08-22 10:52:48 UTC 
Based of feed back on devel there seems like there is more an conscious not setting the root password to empty hence closing. 

We can always reopen this if more people chime on that thread and that changes