MAJOR hole in 5.0

Chris Lingard chris at stockwith.co.uk
Thu Sep 25 11:47:20 PDT 2003


Ian Molton wrote:

> Hi.
> 
> I dont want to steal anyones thunder at all by this but anyone who built
> a 5.0pre1 is subject to a pretty major security hole.
> 
> the 'nobody' user in /etc/passwd is wrong. anyone building 5.0 should
> check this is not screwed on their build.
> 
> it SHOULD be:
> 
> nobody:x:1000:1000:::/bin/false
> 
> and not:
> 
> nobody:x:1000:1000:nobody:/:/bin/bash
> 
> hole found by voidcore on IRC.

nobody::1000:1000:::/bin/bash is fine when building LFS

Its reason, as you know, is just for testing.  Anything that helps
the user to build a clean LFS hould be encouraged.  The putting
your new LFS on the internet comes much later.

How about if you add to "The End"

Remove user nobody, as this will now be a security risk, when
you put your new LFS systm on the internet.  The command for this is:

userdel  nobody

Chris


No more problems :-)





More information about the lfs-security mailing list