On Wednesday 28 Feb 2007 02:52:08 Manoj Srivastava wrote: > On Wed, 28 Feb 2007 00:59:06 +0530, Mrugesh Karnik said: > > Also, I found a MAJOR security bug with respect to the sudo > > integration. I enabled it and found that root login with a blank > > password was possible. I haven't tried updating the system yet. If > > the bug persists, I'll report it. > > I did not see a bug filed about this for the installer, so I > took the liberty of forwarding this to the debian installer leads, > Frans Pop and Joeyh Hess. They agreedd that if this is the case, then > this is a huge bug; but so far none of the testors has reported > anything similar. > > However, we are now trying to reproduce this bug, and > investigating how it happened. On repeated testing, we can't > reproduce the passwordless root account. Frans Pop says he gets a "!" > in the /etc/shadow file, which means login disabled.
Yes, I discussed that with Vihan yesterday. The bug could have been something like a missing ! in the shadow file. I realised that I should have checked that before I assigned a root password manually. Then again, this is exactly how I assigned the root password anyway. Logged in as root on the console with a blank password and simply used passwd. Anyway, I'll reinstall and see if I can reproduce it. > Is there any additional information you can provide us, on how > to reproduce the passwordless root account, and the crashes? A > formal installtion report via reportbug would be much appreciated, > preferably with the latest daily build of the installer, and a > sequence of steps to follow to reproduce it. Hmmm. I'll download the daily build. To be honest, the Debian website confuses me as to what exactly I should download. Anyway, as I said above, I'll try to reproduce the bug with this set of DVDs I have first. -- ---------------------------------------- Mrugesh Karnik GPG Key 0xBA6F1DA8 Public key on http://wwwkeys.pgp.net ----------------------------------------
pgpTK8AvKEzCB.pgp
Description: PGP signature
-- http://mm.glug-bom.org/mailman/listinfo/linuxers
