I’ve noticed that the installer defaults to automatic login, which is VERY, VERY bad from a security standpoint. I think auto login is something a user should have to explicitly enable. I filled a bug report but the dev who was assigned to the bug just brushed it off because “we’ve always done it that way”. If there really is a good reason to keep this as the default and the relevant people make that decision, fine, but it should at least be considered.
I couldn’t find a sub-forum on the boards for discussions about the development of OpenSuse, so I put the thread here in General Chit-Chat. What’s the best way to contact the devs? I’ve already tried bugzilla, at least this time I got a response. I suppose I’ll try IRC next.
This will not help you, but IIRC the subject was discussed earlier here. Again IIRC the idea behind it seems to be that on a MS system you are also loged in without further identification and that the login by default would shy away potential Linux users.
I am with you as you think that it is a lousy argument wanting to be as insecure as your opponent wher one normaly wants to be better as ones opponent.
But I must also admit that I have installed openSUSE for a friend and I have to do a lot of effort in pressing him into using passwords. Even yesterday, when I was doing some maintenance on his system, he asked me more or less sarcastic: “Nice all the password typing, isn’t it” when I was starting some tools as root (YaST, terminal) for the third time or so.
And for normal user passwords (and not loging in automatic) he only accepted it while he now wants to make the sytem available to his two grand-children (where I have to explain extensive what a multi user environment means, I set a bigger font for him in his KDE and had again to explain that that will not be effective for his grand-children :P).
Thus the fact of live is that we see all sorts of silly things in KDE and openSUSE only because they seem to be “invented” by MS and now people think that it are features instead of bugs. >:(
I am afraid that your quest is in vain because it is against the current flow of things.
Hm, come to think of it… where is the loss of security when an automatic login is enabled? I use a login with password, but more because of practical reasons (like being able to choose a different desktop environment before starting a session). Just asking…
I find the default of root having the same password as the first user much more critical.
I also do not think this (auto login) was ‘brushed off’ . Rather ‘at the time’ there was a debate, and the decision made for the approach adopted for an auto login being default. It is also easy to change in YaST.
We can not deny that a lot of users see the automatic login as a feature. And they may be true on a home desktop. I would not encourage this on a traveling laptop.
That the “feature” also helps people in not seeing the difference between booting and login anymore (as many posts give prove of) is something we have to live with. >:)
Beyond automatic login there are plenty of ways Linux can be used insecurely. I would imagine that Windows converts might prefer to run as root just for the convenience of it.
I suppose you (the OP) should take comfort that you are aware of security issues and are capable of dealing with them. I just feel sorry for those individuals who suffer the consequences of working insecurely purely out of ignorance.
Perhaps we should expend more effort in making sure that new users secure their systems post-install by ensuring they find the relevant information here in an easy and direct manner.
This does make sense but Ubuntu IIRC does not have this insecure behavior by default, and they’re even more focused on catering to people who shouldn’t be allowed to touch computers.
I know how to fix it, that’s not my point. I don’t think it should be the default, just like my car shouldn’t default to letting anyone into it and start the engine. If I want to disable security features, fine, but they should be enabled by default.
Thanks for the link to features.opensuse.org, I didn’t know about that, I’ve only been on OpenSuse for about 6 months.
There sure are. Install Linux on a FAT file system. Use a simple password. Don’t create a user account, and only have root. Don’t enable the firewall. Use outdated softweare that is no longer supported. The list goes on and on.