Professional virus writers often target only small group of machines. They sell bot networks, and these are more likely not to be noticed by anti-virus software developers when virus is not spread wide. It would be possible to use N900 for e.g. sending spam even though wireless mobile device hasn't got the best performance. Also there's no anti-virus software for N900 and root access is not protected.

Though i'm sure that this forum would notice a virus right away.

Actually I would feel better if sudo access without passwor was restricted to the application manager (although this also opens root access to malicious packages, but at least its only packages )

MSN has a SPAM problem. It's likely to have nothing to do with Maemo - rather, it's probably friends with viruses on their computers.

I don't get the problem with setting a password - I don't think it impedes usability. Works well enough on Ubuntu!

While I haven't tried it, I think it would be quite easy to require a password for root access. Read up on the sudoers file. You'll find a line in it concerning gainroot.

I don't want to give step by step instructions here because it's too easy to lock yourself out of the device if you make a mistake, so it's best you read up on it. It's a relatively simple change.

If you do decide you want to undertake the change, make sure you use visudo rather than editing the sudoers file directly. A misplaced space could spell your doom!

Cheers,
Jan

What happens to app manager when you set a password to protect root account?

I think gainroot is a separate account to the one App Manager uses. Might be wrong here..

Nothing happens. App manager doesn't rely on a root password. Installing openssh asks you to set the root password anyway.

Sudo != root. Sudo is with respect to the user, not the "root" account.

Most of the stuff you do as a user that would normally require "root" rights, like the app manager, are actually using Sudo. Sudo grants the *user* temporary root rights to run the applications.

Sudo has been configured to grant user the right to be root with specific commands *without a password*. Meaning that if you set a root or user password it won't matter because sudo has been told "don't ask".

The way Ubuntu does it, is it has two wrapper programs: gksu and gksudo. Your user account has a password that only you are supposed to know, when you launch Synaptic or whatever package manager *that* sudo has been told "Ask for a Password" and it uses gksudo/su to prompt a GUI password box for you to put that into.

AFAIK: No gui password prompt program is available for the N900 and thus that specific solution would require manual work in making one. The other possibility is you set yourself a user password (leave root locked unless you have specific reason to need it), and then completely change your sudoers file to prompt for a password in order to gain root.

However, you would then need to go through and modify every .desktop file and have it launch in a terminal window instead of directly so that your terminal will ask for the password. Not elegant, and certainly not easy... not to mention extremely likely to brick the device unless you know exactly what you're doing.

Given the sample size of the software for N900 it's unlikely for anyone to ever get a virus. Though it's possible that something that targets Debian could be adjusted accordingly.

However, it would have to be "download and install" and it would need to be on -likely- this forum, since no virus is complete if it attacks ONE machine. Once here, people would likely complain and the package would fail.

The reason why Windows has such a problem has nothing to do with community or support - it's pretty much impossible to get through these days. Ten years ago, on home OSs, maybe.

What Windows has is the average userbase and the sheer size of it. As a Windows admin I've seen my share of viruses and in all cases there's some user looking at the floor muttering something about "I installed this and that".

I don't even think there's such a a thing as a virus any more - last I've seen is CIH. Nowadays they're all trojans.

Make no mistake, if a billion people would have N900 and the right to install-from-anywhere, there'd be a million of the little buggers. For now, however, stick to repositories. Even better, stick with official ones. I'm guessing that the push to Extras gets someone to at least skim the code.