tor, 11.11.2004 kl. 20.12 skrev Arnaud Abélard: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I just noticed that the default /etc/passwd file installed by the > package setup-2.5.33-1.noarch.rpm (on a FC2, i don't know about FC1 and > FC3 yet) contains the line root::0:0:root:/root:/bin/bash. > > This means that root is a passwdless account but nevetheless useable, > with a valid shell. When installing the package in a chroot, for a > vserver, uml, or whatever this creates a very serious security hazard! > > I know this is not normally a problem, because anaconda will force the > user to set a password. But the package isn't always installed by > anaconda during a normal installation from a media. In the case of a > manual relocated installation on the purpose to create a chroot > environment this is a real problem. > > > Arnaud Abélard > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBk7mpu1PiD4+WtDcRAm4AAJ9TyawfST/xTQfGJvXLlra6mliuRACeN/Gd > X3jSXzbkn6v0hRq4IXzcNIs= > =5YYj > -----END PGP SIGNATURE----- Wouldn't it them be better to set a "*" password? Ie. disable root?
