From owner-freebsd-doc@FreeBSD.ORG Thu Mar 7 08:58:17 2013 Return-Path: Delivered-To: doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 529767E1 for ; Thu, 7 Mar 2013 08:58:17 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1]) by mx1.freebsd.org (Postfix) with ESMTP id CD0C9BFC for ; Thu, 7 Mar 2013 08:58:16 +0000 (UTC) Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr [155.207.33.29]) (authenticated bits=0) by vergina.eng.auth.gr (8.14.4/8.14.3) with ESMTP id r278tIjC097301 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 7 Mar 2013 10:55:19 +0200 (EET) (envelope-from mamalos@eng.auth.gr) Message-ID: <513855F6.2020209@eng.auth.gr> Date: Thu, 07 Mar 2013 10:55:18 +0200 From: George Mamalakis User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3 MIME-Version: 1.0 To: doc@freebsd.org Subject: Default empty root password should be documented Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (vergina.eng.auth.gr [192.168.18.7]); Thu, 07 Mar 2013 10:55:19 +0200 (EET) X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 08:58:17 -0000 Hi all, Recently on one of my systems I installed a jail from scratch (I usually copy my jails from other machines). Before running it, I checked to see if the password format was the one I was expecting to be with vipw(8) and I saw that the root password was empty. I understand that this is the case with "make installworld" and that it is also the case when installing a system from CLI; it's not the first time I noticed it, and I suppose there is a reason for root's default password to be empty and not starred out -probably to prevent someone from getting locked out from the machine accidentally before setting a root password-. Furthermore, I know that this is documented in jail(8)'s man page, but due to the security risk imposed when someone forgets to set a password for root, I see no reason why a reminder for setting the root password should not be mentioned in the Handbook's jail section as well, with bold fonts or in a warning-box. Thank you all for your time in advance, George Mamalakis.