mswhirl
commented
5 years ago While I agree in principle that the root password should not be left as root, the ISP cannot enter the modem if the scripts to disable cwmpd etc have been run; and these are too numerous for the variations of different modems. The other thing to consider is that this utility has no current SSH capability, so to really do this properly is a big change. I am not opposed to doing this and would be happy to receive patches that would add a post-access-gained set of ssh scripts (including prompting for a new root password), but please bear in mind any password taken from the GUI and put into the script through using regexes into scripts etc will have to be escaped properly. I'm going to close this now due to the size of the work required but am happy to consider patches in future. Please re-open it if you wish to discuss the best path forward architecturally (i.e. how to store modem script variants, how the GUI will have to change) before doing any coding.
Once the modem is rooted the password needs to be changed so an ISP forced update doesn't override it and lock the modem. How about putting a button on autoflashgui to [Confirm Secure Root] ie root password changed?