[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

base system on boot floppies 2.2.3 broken


the other day i used the new boot floppies labeled 2.2.3 on the ftp site and found when i installed the system the permissions were all screwed up, today a post from debian-user with the same problem:

I am not sure which package the base system falls under I would guess boot-floppies? I have not yet filed a bug report...

[ quoting post from debian-user ]
On 30/12/99 matt garman wrote:

I just installed potato via the floppy+ftp method.

For some odd reason, I cannot "su" to root as a normal user, it
always says I have the wrong password.  But I can switch to a
different virtual terminal and login as root with the same password,
no problem.

Also, as a user I tried to change my shell with "chsh" and when
it behaves the same as su, i.e. it always says wrong password for
my username.  I can login with this password just fine, though.

I tried both commands several times slowly, so I cannot be typing
two different passwords incorrectly.

I just reinstalled a potato system 3 days ago using the 2.2.3 potato boot floppies and the base system was installed with massively wrong permissions:

1) there were NO suid/sgid binaries, including chsh, chfn, login, passwd, su et al this means ONLY root may login to the virtual consoles, any other uids will fail. this also means su chsh, chfn et al will not work. nothing pam related will work since /sbin/unix_chkpwd is not suid.

2) any file or directory that has a symlink associated with it has permissions of 777 this includes much of the libc, /sbin/init /usr/sbin/adduser, and many many many more. also most of /usr/share/doc had mode 777.

3) most of /dev/* has wrong owners/permissions, i just rm -rf ed it and grabbed a properly extracted version from base2_2.tgz

unfortunately i did not notice this massive mess till after i installed the rest of the system so i had to do many finds (for all the mode 777 stuff) and general looking around to fix the huge security hole, for the suid/sgid i extracted a copy of the base system into a temporary directory with tar -zxvpf and did finds for all suid/sgid and set the modes manually (there are not to many in the base system) I also has to take the /dev/ directory from manually extracted base and replace the screwed up version that i had. i also used the base as a reference for what the right permissions were for the 777 stuff as well as owners/groups.

At 20:21 -0600 30/12/99, matt garman wrote:
Yup, what you described is exactly what happened on my system.  Gives
new meaning to "unstable," eh?

Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

Reply to: