Robert Connolly wrote: > On Monday March 3 2008 07:47:16 am mundoalem wrote: >> Hello everyone! >> >> As I was reading for the first time the Linux From Scratch >> books version 6.3 this weekend, I noticed that section: >> >> "4.3. Adding the LFS User" >> http://www.linuxfromscratch.org/lfs/view/stable/chapter04/addinguser.html >> >> is lacking of notes on security issues about the creation >> of the "lfs" user and "lfs" group. I know the book just can't >> cover every aspect of security problems and errors it might >> occur if you do the things the book tells you to do. >> The sysadm should know what he is typing. > > A weak password on the lfs account could lead to both local and remote > unauthorized use, which in turn could lead to a trojan-horsed coreutils > patch, which leads to a privilege escalation from /tools when root runs the > coreutils test suite, and then a root backdoor. > > It could happen.
IMO, only if there are untrusted users on the system or sshd is misconfigured with PermitEmptyPasswords. We can't cover *every* possibility. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
