[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#470614: leaves possibility to login as root without password

Package: debootstrap
Version: 1.0.8
Severity: normal


Since debootstrap is often (at least by me) used to create chrooted
environment for some services I'm threating this problem as rather

Fresh debootstrapped system leaves empty password for root.

It should at least put asterisk in /etc/shadow for that user.

Friend of mine set up chrooted environment for postfix installation. He
used MySQL as a backend for managing users and he made his best to ensure
such system won't be open relay.

He didn't even think that by default root account has no password, and this
way some spammer sent 40k mails by this installation. Spammer used root
account and authorized using empty password.

I'm not sure whether it should be fixed in debootstrap itself or in
base-files (this package afaik creates /etc/passwd and /etc/shadow).

During normal installation user is asked for root password that's why
I chose debootstrap for this bugreport.

  ,''`.  Bartosz Fenski | mailto:fenio@debian.org | pgp:0x13fefc40 | irc:fEnIo
 : :' :       32-050 Skawina - Glowackiego 3/15 - malopolskie v. - Poland
 `. `'           phone:+48602383548 | proud Debian maintainer and user
   `-            http://fenski.pl | xmpp:fenio@jabber.org | rlu:172001

Attachment: signature.asc
Description: Digital signature

Reply to: