Your message dated Wed, 17 Feb 2010 17:20:37 -0500 with message-id <20100217222037.GA13569@gnu.kitenet.net> and subject line closing; fixed in unstable & not really a debootstrap bug has caused the Debian Bug report #470614, regarding leaves possibility to login as root without password to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 470614: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470614 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: leaves possibility to login as root without password
- From: Bartosz Fenski aka fEnIo <fenio@debian.org>
- Date: Wed, 12 Mar 2008 10:52:38 +0100
- Message-id: <20080312095238.GA5483@localdomain>
Package: debootstrap Version: 1.0.8 Severity: normal Hello. Since debootstrap is often (at least by me) used to create chrooted environment for some services I'm threating this problem as rather important. Fresh debootstrapped system leaves empty password for root. It should at least put asterisk in /etc/shadow for that user. Friend of mine set up chrooted environment for postfix installation. He used MySQL as a backend for managing users and he made his best to ensure such system won't be open relay. He didn't even think that by default root account has no password, and this way some spammer sent 40k mails by this installation. Spammer used root account and authorized using empty password. I'm not sure whether it should be fixed in debootstrap itself or in base-files (this package afaik creates /etc/passwd and /etc/shadow). During normal installation user is asked for root password that's why I chose debootstrap for this bugreport. regards fEnIo -- ,''`. Bartosz Fenski | mailto:fenio@debian.org | pgp:0x13fefc40 | irc:fEnIo : :' : 32-050 Skawina - Glowackiego 3/15 - malopolskie v. - Poland `. `' phone:+48602383548 | proud Debian maintainer and user `- http://fenski.pl | xmpp:fenio@jabber.org | rlu:172001Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 470614-done@bugs.debian.org
- Subject: closing; fixed in unstable & not really a debootstrap bug
- From: Joey Hess <joeyh@debian.org>
- Date: Wed, 17 Feb 2010 17:20:37 -0500
- Message-id: <20100217222037.GA13569@gnu.kitenet.net>
debootstrap has nothing to do with the default contents of /etc/passwd. debootstrap simply installs debs. This was fixed in base-passwd 3.5.21. So it still affects current stable, but not testing/unstable. -- see shy joAttachment: signature.asc
Description: Digital signature
--- End Message ---