security risk in the profile LFS-4.0
vassilidzuba at nerim.net
Wed Oct 9 15:23:41 PDT 2002
Currently, the profile LFS-4.0 at http://vassilidzuba.nerim.net
creates a user lfs if it does not exist,
(as required by chapter 5), but does not set its password.
(definitely not as required by chapter 5).
I changed the profile to add a password if one creates
the temporary user (but of course does not change the password if the
user already exists).
If you used the profile and has not build a LFS manually on the same machine
(in which cas the user already existed and normally has a password),
you should set the password of the 'lfs' user.
The bug already existed in the previous profiles (LFS-3.3 and CVS)
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe alfs-discuss' in the subject header of the message
More information about the alfs-discuss