[question] root access (su, devel-su) and system security
Hello,
a few days ago I finally got my Jolla Phone. :-)
As I don't have any mentionable experience with linux and never had another smartphone before, I hope someone here will help me to understand the effects of su and devel-su on system security.
Having developer mode enabled and remote access disabled, I cannot use one of those two commands by just clicking "return" when I am asked for the password. Does this mean that somewhere in the system configuration, there is an option like "don't allow empty passwords for local or remote access as root" set to the value "true"? And if this is the case, is it changeable?
Activating remote access and setting a password makes it possible to use the command devel-su. I also found an instruction of how to use "su" instead. But I have read contradictory statements about the question which of those ways is more secure. One person claims devel-su has been developed in order to be more "paranoid" and another one states that remote access will always be enabled, if a password ist set for the root. The third statement in contrast advises people to let remote access be disabled and to use su to avoid connections via SSH. So I am a bit confused now.
The way I would like it to work is that I can get full access to the phone in order to configure it and then set it back to limited access rights before I reconnect to the Internet. So that it is impossible then for anyone to execute code as root.
This leads me to another question concerning this theme: Is it a security risk to have developer mode enabled, but remote access disabled and therefore no password set? Could a malware easily set its own password then?
Thanks in advance for your help!