base system on boot floppies 2.2.3 broken

[Ethan Benson <erbenson@alaska.net>]

hi,

the other day i used the new boot floppies labeled 2.2.3 on the ftp 
site and found when i installed the system the permissions were all 
screwed up, today a post from debian-user with the same problem:

I am not sure which package the base system falls under I would guess 
boot-floppies?  I have not yet filed a bug report...

[ quoting post from debian-user ]
On 30/12/99 matt garman wrote:

> I just installed potato via the floppy+ftp method.
>
> For some odd reason, I cannot "su" to root as a normal user, it
> always says I have the wrong password.  But I can switch to a
> different virtual terminal and login as root with the same password,
> no problem.
>
> Also, as a user I tried to change my shell with "chsh" and when
> it behaves the same as su, i.e. it always says wrong password for
> my username.  I can login with this password just fine, though.
>
> I tried both commands several times slowly, so I cannot be typing
> two different passwords incorrectly.


I just reinstalled a potato system 3 days ago using the 2.2.3 potato 
boot floppies and the base system was installed with massively wrong 
permissions:

1) there were NO suid/sgid binaries, including chsh, chfn, login, 
passwd, su et al this means ONLY root may login to the virtual 
consoles, any other uids will fail.  this also means su chsh, chfn et 
al will not work.  nothing pam related will work since 
/sbin/unix_chkpwd is not suid.

2) any file or directory that has a symlink associated with it has 
permissions of 777 this includes much of the libc, /sbin/init 
/usr/sbin/adduser, and many many many more. also most of 
/usr/share/doc had mode 777.

3) most of /dev/* has wrong owners/permissions, i just rm -rf ed it 
and grabbed a properly extracted version from base2_2.tgz

unfortunately i did not notice this massive mess till after i 
installed the rest of the system so i had to do many finds (for all 
the mode 777 stuff) and general looking around to fix the huge 
security hole, for the suid/sgid i extracted a copy of the base 
system into a temporary directory with tar -zxvpf and did finds for 
all suid/sgid and set the modes manually (there are not to many in 
the base system) I also has to take the /dev/ directory from manually 
extracted base and replace the screwed up version that i had.  i also 
used the base as a reference for what the right permissions were for 
the 777 stuff as well as owners/groups.


At 20:21 -0600 30/12/99, matt garman wrote:
> Yup, what you described is exactly what happened on my system.  Gives
> new meaning to "unstable," eh?


--
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/