[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

root::0:0:root:/root:/bin/bash !?!

From: Arnaud Abélard <arnaud abelard univ-nantes fr>
To: Development discussions related to Fedora Core <fedora-devel-list redhat com>
Subject: root::0:0:root:/root:/bin/bash !?!
Date: Thu, 11 Nov 2004 20:12:41 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I just noticed that the default /etc/passwd file installed by the
package  setup-2.5.33-1.noarch.rpm (on a FC2, i don't know about FC1 and
FC3 yet) contains the line root::0:0:root:/root:/bin/bash.

This means that root is a passwdless account but nevetheless useable,
with a valid shell. When installing the package in a chroot, for a
vserver, uml, or whatever this creates a very serious security hazard!

I know this is not normally a problem, because anaconda will force the
user to set a password. But the package isn't always installed by
anaconda during a normal installation from a media. In the case of a
manual relocated installation on the purpose to create a chroot
environment this is a real problem.

Arnaud Abélard

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBk7mpu1PiD4+WtDcRAm4AAJ9TyawfST/xTQfGJvXLlra6mliuRACeN/Gd
X3jSXzbkn6v0hRq4IXzcNIs=
=5YYj
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: root::0:0:root:/root:/bin/bash !?!
  - From: Kyrre Ness Sjobak
- Re: root::0:0:root:/root:/bin/bash !?!
  - From: Alan Cox

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]