-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
I just noticed that the default /etc/passwd file installed by the package setup-2.5.33-1.noarch.rpm (on a FC2, i don't know about FC1 and FC3 yet) contains the line root::0:0:root:/root:/bin/bash.
This means that root is a passwdless account but nevetheless useable, with a valid shell. When installing the package in a chroot, for a vserver, uml, or whatever this creates a very serious security hazard!
I know this is not normally a problem, because anaconda will force the user to set a password. But the package isn't always installed by anaconda during a normal installation from a media. In the case of a manual relocated installation on the purpose to create a chroot environment this is a real problem.
Arnaud Abélard
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBk7mpu1PiD4+WtDcRAm4AAJ9TyawfST/xTQfGJvXLlra6mliuRACeN/Gd X3jSXzbkn6v0hRq4IXzcNIs= =5YYj -----END PGP SIGNATURE-----
