[ec2-beta] some feedback on the i386 image
soren at ubuntu.com
Wed Jan 14 17:06:32 GMT 2009
On Wed, Jan 14, 2009 at 07:42:52AM -0800, Eric Hammond wrote:
> It seems to me that an empty password is similar security-wise to the
> proposal of locking the password and allowing passwordless sudo.
No. If you hack a php webapp for instance, you're running as www-data,
but you're only a quick "su - ubuntu" away from becoming the ubuntu user
at which point you can sudo to root. With a locked or password protected
ubuntu account, you're stuck as the www-data user.
Soren Hansen |
Virtualisation specialist | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 315 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/mailman/private/ec2/attachments/20090114/fb4bf6c5/attachment-0002.pgp
More information about the Ec2-beta