reassign 517018 sysvinit-utils thanks On Wed, Feb 25, 2009 at 01:43:05AM -0500, Michael Gilbert wrote: > On Tue, 24 Feb 2009 22:12:52 -0800 Steve Langasek wrote: > > > since there is no root password set up during installation, a local > > > attacker can simply boot into the root account (without being prompted > > > for a password) via single user mode ("single" kernel option).
> > Have you tested that this is actually the case? > yes. Ok; reassigning to sysvinit-utils. > i'm not entirely sure what the installer is doing (i assume that it > generates a random password since "su" itself still requires a password), > but the easiest way i could think to describe the problem was by the term > no-root. if there is better terminology that i can use, please let me > know. What this is supposed to do is configure the root account without a valid password. You can verify this is the case by checking whether root's password field in /etc/shadow is set to '*' or '!'. Looking at sulogin's code, it treats this as an invalid password (which is true), and as a result bypasses the password check entirely (which is questionable). -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org