[ec2-beta] some feedback on the i386 image

Soren Hansen soren at ubuntu.com
Wed Jan 14 17:06:32 GMT 2009

On Wed, Jan 14, 2009 at 07:42:52AM -0800, Eric Hammond wrote:
> It seems to me that an empty password is similar security-wise to the
> proposal of locking the password and allowing passwordless sudo.

No. If you hack a php webapp for instance, you're running as www-data,
but you're only a quick "su - ubuntu" away from becoming the ubuntu user
at which point you can sudo to root. With a locked or password protected
ubuntu account, you're stuck as the www-data user.

Soren Hansen               | 
Virtualisation specialist  | Ubuntu Server Team
Canonical Ltd.             | http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 315 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/mailman/private/ec2/attachments/20090114/fb4bf6c5/attachment-0002.pgp 

More information about the Ec2-beta mailing list