[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#470614: marked as done (leaves possibility to login as root without password)

Your message dated Wed, 17 Feb 2010 17:20:37 -0500
with message-id <20100217222037.GA13569@gnu.kitenet.net>
and subject line closing; fixed in unstable & not really a debootstrap bug
has caused the Debian Bug report #470614,
regarding leaves possibility to login as root without password
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

470614: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470614
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: debootstrap
Version: 1.0.8
Severity: normal


Since debootstrap is often (at least by me) used to create chrooted
environment for some services I'm threating this problem as rather

Fresh debootstrapped system leaves empty password for root.

It should at least put asterisk in /etc/shadow for that user.

Friend of mine set up chrooted environment for postfix installation. He
used MySQL as a backend for managing users and he made his best to ensure
such system won't be open relay.

He didn't even think that by default root account has no password, and this
way some spammer sent 40k mails by this installation. Spammer used root
account and authorized using empty password.

I'm not sure whether it should be fixed in debootstrap itself or in
base-files (this package afaik creates /etc/passwd and /etc/shadow).

During normal installation user is asked for root password that's why
I chose debootstrap for this bugreport.

  ,''`.  Bartosz Fenski | mailto:fenio@debian.org | pgp:0x13fefc40 | irc:fEnIo
 : :' :       32-050 Skawina - Glowackiego 3/15 - malopolskie v. - Poland
 `. `'           phone:+48602383548 | proud Debian maintainer and user
   `-            http://fenski.pl | xmpp:fenio@jabber.org | rlu:172001

Attachment: signature.asc
Description: Digital signature

--- End Message ---
--- Begin Message ---
debootstrap has nothing to do with the default contents of /etc/passwd.
debootstrap simply installs debs.

This was fixed in base-passwd 3.5.21. So it still affects
current stable, but not testing/unstable.

see shy jo

Attachment: signature.asc
Description: Digital signature

--- End Message ---

Reply to: