security risk in the profile LFS-4.0

Vassili Dzuba vassilidzuba at nerim.net
Thu Oct 10 14:13:33 PDT 2002


On Wed, 9 Oct 2002 23:03:29 +0000 (UTC)
gerard at linuxfromscratch.org (Gerard Beekmans) wrote:

> On October 9, 2002 04:23 pm, Vassili Dzuba wrote:
> > I changed the profile to add a password if one creates
> > the temporary user (but of course does not change the password if the
> > user already exists).
> 
> Setting or not setting a password poses no security risk. If you don't have a 
> password set, you simply can't login as that user directly, unless you su to 
> root first, then you can change to the lfs user.
> 
> 
> 

Well, on my machine, after creating the user i'm able to perform
a su (from a non-root account) or a login with a blank password
and get accepted.
Maybe i need to look at this more carefully...


Vassili

> -- 
> Gerard Beekmans
> www.linuxfromscratch.org
> 
> -*- If Linux doesn't have the solution, you have the wrong problem -*-
> -- 
> Unsubscribe: send email to listar at linuxfromscratch.org
> and put 'unsubscribe alfs-discuss' in the subject header of the message
> 
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe alfs-discuss' in the subject header of the message



More information about the alfs-discuss mailing list