Re: vulnerability in su?
On Sat, Nov 08, 2003 at 08:23:25PM -0500, kirt wrote: is this a known issue? i didn't search to hard for a fix or anything since i quickly fixed it myself, but i thought that a situation like that could make for some interesting (read *bad*) situations. It's certainly possible to compromise your system in this way if you incorrectly update your /etc (e.g. by making a mistake with mergemaster). Kris pgp0.pgp Description: PGP signature
Re: vulnerability in su?
On Sat, Nov 08, 2003 at 10:49:35PM -0800, Derrick Ryalls wrote: while recently cvsup'ing my box here at home, i had a weird thing happen... i had already built world, built and installed the kernel, installed world (including all appropriate reboots), and when i brought it back up, but prior to running mergemaster, i popped the jumper on the circuit the box is on. my ups is somewhat wimpy, and only lasts a couple minutes (the fuse trips all the time too.. stupid apartment wiring can't handle 2 computers and the washer and dryer at once =P ) so i made it a priority to go ahead and shut the box down. after fixing said jumper and bring the box back up i noticed that i could now su like a madman, without ever being prompted for passwords. i then remembered that i hadn't run mergemaster yet, so i ran it again and rebooted for safe measure and su started asking for passwords again. I think the only time this happens is if the root password is blank. It is possible that one of your mergemaster runs put in the default root password (blank). well, it wasn't just the root password... for example i was able to login to one of my non-wheel accounts, su to my personal account (which is in wheel), and then su right to root as well. in addition, none of the passwords were actually blank, because i actually plugged a monitor and keyboard into the box and logged in locally as root, which required me to put my password in. all of my accounts did, in fact. -kirt ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: vulnerability in su?
while recently cvsup'ing my box here at home, i had a weird thing happen... i had already built world, built and installed the kernel, installed world (including all appropriate reboots), and when i brought it back up, but prior to running mergemaster, i popped the jumper on the circuit the box is on. my ups is somewhat wimpy, and only lasts a couple minutes (the fuse trips all the time too.. stupid apartment wiring can't handle 2 computers and the washer and dryer at once =P ) so i made it a priority to go ahead and shut the box down. after fixing said jumper and bring the box back up i noticed that i could now su like a madman, without ever being prompted for passwords. i then remembered that i hadn't run mergemaster yet, so i ran it again and rebooted for safe measure and su started asking for passwords again. I think the only time this happens is if the root password is blank. It is possible that one of your mergemaster runs put in the default root password (blank). ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]