MAJOR hole in 5.0

Jochen Schroeder jschrod at uni-muenster.de
Thu Sep 25 14:38:08 PDT 2003


Matthias Benkmann wrote:
> On Thu, 25 Sep 2003 19:47:20 +0100 Chris Lingard <chris at stockwith.co.uk>
> wrote:
> 
> 
>>Remove user nobody, as this will now be a security risk, when
>>you put your new LFS systm on the internet. 
> 
> 
> Yes, and make sure to tell them that they should only ever use the root
> account because all normal user accounts are a security risk when you put
> your system on the Internet.
> Could someone please tell me, how a user account called "nobody" with no
> valid shell and no password that doesn't own any files is a major security
> risk and a user account called "miller" with a valid shell and password
> that owns files and has write access to /home/miller is not?
> 
> MSB
> 
from chris mail:

nobody::1000:1000:::/bin/bash is fine when building LFS

note it has a valid shell. even worse, what was in the book was:

nobody:x:1000:1000:nobody:/:/bin/bash

Cheers
Jochen




More information about the lfs-security mailing list