[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: root::0:0:root:/root:/bin/bash !?!

From: Kyrre Ness Sjobak <kyrre solution-forge net>
To: Development discussions related to Fedora Core <fedora-devel-list redhat com>
Subject: Re: root::0:0:root:/root:/bin/bash !?!
Date: Thu, 11 Nov 2004 21:52:43 +0100

tor, 11.11.2004 kl. 20.12 skrev Arnaud Abélard:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> I just noticed that the default /etc/passwd file installed by the
> package  setup-2.5.33-1.noarch.rpm (on a FC2, i don't know about FC1 and
> FC3 yet) contains the line root::0:0:root:/root:/bin/bash.
> 
> This means that root is a passwdless account but nevetheless useable,
> with a valid shell. When installing the package in a chroot, for a
> vserver, uml, or whatever this creates a very serious security hazard!
> 
> I know this is not normally a problem, because anaconda will force the
> user to set a password. But the package isn't always installed by
> anaconda during a normal installation from a media. In the case of a
> manual relocated installation on the purpose to create a chroot
> environment this is a real problem.
> 
> 
> Arnaud Abélard
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBk7mpu1PiD4+WtDcRAm4AAJ9TyawfST/xTQfGJvXLlra6mliuRACeN/Gd
> X3jSXzbkn6v0hRq4IXzcNIs=
> =5YYj
> -----END PGP SIGNATURE-----

Wouldn't it them be better to set a "*" password? Ie. disable root?

References:
- root::0:0:root:/root:/bin/bash !?!
  - From: Arnaud Abélard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]