security risk in the profile LFS-4.0

Vassili Dzuba vassilidzuba at nerim.net
Wed Oct 9 15:23:41 PDT 2002


Currently, the profile LFS-4.0 at http://vassilidzuba.nerim.net
creates a user lfs if it does not exist,
(as required by chapter 5), but does not set its password.
(definitely not as required by chapter 5).

I changed the profile to add a password if one creates 
the temporary user (but of course does not change the password if the
user already exists).

If you used the profile and has not build a LFS manually on the same machine
(in which cas the user already existed and normally has a password),
you should set the password of the 'lfs' user.

The bug already existed in the previous profiles (LFS-3.3 and CVS)

Vassili Dzuba
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe alfs-discuss' in the subject header of the message



More information about the alfs-discuss mailing list