root::0:0:root:/root:/bin/bash !?!

Kyrre Ness Sjobak kyrre at solution-forge.net
Thu Nov 11 20:52:43 UTC 2004


tor, 11.11.2004 kl. 20.12 skrev Arnaud Abélard:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> I just noticed that the default /etc/passwd file installed by the
> package  setup-2.5.33-1.noarch.rpm (on a FC2, i don't know about FC1 and
> FC3 yet) contains the line root::0:0:root:/root:/bin/bash.
> 
> This means that root is a passwdless account but nevetheless useable,
> with a valid shell. When installing the package in a chroot, for a
> vserver, uml, or whatever this creates a very serious security hazard!
> 
> I know this is not normally a problem, because anaconda will force the
> user to set a password. But the package isn't always installed by
> anaconda during a normal installation from a media. In the case of a
> manual relocated installation on the purpose to create a chroot
> environment this is a real problem.
> 
> 
> Arnaud Abélard
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBk7mpu1PiD4+WtDcRAm4AAJ9TyawfST/xTQfGJvXLlra6mliuRACeN/Gd
> X3jSXzbkn6v0hRq4IXzcNIs=
> =5YYj
> -----END PGP SIGNATURE-----

Wouldn't it them be better to set a "*" password? Ie. disable root?




More information about the fedora-devel-list mailing list