On Monday March 3 2008 07:47:16 am mundoalem wrote: > Hello everyone! > > As I was reading for the first time the Linux From Scratch > books version 6.3 this weekend, I noticed that section: > > "4.3. Adding the LFS User" > http://www.linuxfromscratch.org/lfs/view/stable/chapter04/addinguser.html > > is lacking of notes on security issues about the creation > of the "lfs" user and "lfs" group. I know the book just can't > cover every aspect of security problems and errors it might > occur if you do the things the book tells you to do. > The sysadm should know what he is typing.
A weak password on the lfs account could lead to both local and remote unauthorized use, which in turn could lead to a trojan-horsed coreutils patch, which leads to a privilege escalation from /tools when root runs the coreutils test suite, and then a root backdoor. It could happen. robert
pgpDkcJKxqoEr.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
