root::0:0:root:/root:/bin/bash !?!
Arnaud Abélard
arnaud.abelard at univ-nantes.fr
Thu Nov 11 19:12:41 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I just noticed that the default /etc/passwd file installed by the
package setup-2.5.33-1.noarch.rpm (on a FC2, i don't know about FC1 and
FC3 yet) contains the line root::0:0:root:/root:/bin/bash.
This means that root is a passwdless account but nevetheless useable,
with a valid shell. When installing the package in a chroot, for a
vserver, uml, or whatever this creates a very serious security hazard!
I know this is not normally a problem, because anaconda will force the
user to set a password. But the package isn't always installed by
anaconda during a normal installation from a media. In the case of a
manual relocated installation on the purpose to create a chroot
environment this is a real problem.
Arnaud Abélard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBk7mpu1PiD4+WtDcRAm4AAJ9TyawfST/xTQfGJvXLlra6mliuRACeN/Gd
X3jSXzbkn6v0hRq4IXzcNIs=
=5YYj
-----END PGP SIGNATURE-----
More information about the fedora-devel-list
mailing list