[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

root::0:0:root:/root:/bin/bash !?!



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I just noticed that the default /etc/passwd file installed by the
package  setup-2.5.33-1.noarch.rpm (on a FC2, i don't know about FC1 and
FC3 yet) contains the line root::0:0:root:/root:/bin/bash.

This means that root is a passwdless account but nevetheless useable,
with a valid shell. When installing the package in a chroot, for a
vserver, uml, or whatever this creates a very serious security hazard!

I know this is not normally a problem, because anaconda will force the
user to set a password. But the package isn't always installed by
anaconda during a normal installation from a media. In the case of a
manual relocated installation on the purpose to create a chroot
environment this is a real problem.


Arnaud Abélard


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBk7mpu1PiD4+WtDcRAm4AAJ9TyawfST/xTQfGJvXLlra6mliuRACeN/Gd
X3jSXzbkn6v0hRq4IXzcNIs=
=5YYj
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]