Package: debootstrap Version: 1.0.8 Severity: normal Hello. Since debootstrap is often (at least by me) used to create chrooted environment for some services I'm threating this problem as rather important. Fresh debootstrapped system leaves empty password for root. It should at least put asterisk in /etc/shadow for that user. Friend of mine set up chrooted environment for postfix installation. He used MySQL as a backend for managing users and he made his best to ensure such system won't be open relay. He didn't even think that by default root account has no password, and this way some spammer sent 40k mails by this installation. Spammer used root account and authorized using empty password. I'm not sure whether it should be fixed in debootstrap itself or in base-files (this package afaik creates /etc/passwd and /etc/shadow). During normal installation user is asked for root password that's why I chose debootstrap for this bugreport. regards fEnIo -- ,''`. Bartosz Fenski | mailto:fenio@debian.org | pgp:0x13fefc40 | irc:fEnIo : :' : 32-050 Skawina - Glowackiego 3/15 - malopolskie v. - Poland `. `' phone:+48602383548 | proud Debian maintainer and user `- http://fenski.pl | xmpp:fenio@jabber.org | rlu:172001
Attachment:
signature.asc
Description: Digital signature