MAJOR hole in 5.0

Ian Molton spyro at f2s.com
Tue Sep 23 16:04:45 PDT 2003


Hi.

I dont want to steal anyones thunder at all by this but anyone who built
a 5.0pre1 is subject to a pretty major security hole.

the 'nobody' user in /etc/passwd is wrong. anyone building 5.0 should
check this is not screwed on their build.

it SHOULD be:

nobody:x:1000:1000:::/bin/false

and not:

nobody:x:1000:1000:nobody:/:/bin/bash

hole found by voidcore on IRC.



More information about the lfs-security mailing list