MAJOR hole in 5.0
jschrod at uni-muenster.de
Thu Sep 25 14:38:08 PDT 2003
Matthias Benkmann wrote:
> On Thu, 25 Sep 2003 19:47:20 +0100 Chris Lingard <chris at stockwith.co.uk>
>>Remove user nobody, as this will now be a security risk, when
>>you put your new LFS systm on the internet.
> Yes, and make sure to tell them that they should only ever use the root
> account because all normal user accounts are a security risk when you put
> your system on the Internet.
> Could someone please tell me, how a user account called "nobody" with no
> valid shell and no password that doesn't own any files is a major security
> risk and a user account called "miller" with a valid shell and password
> that owns files and has write access to /home/miller is not?
from chris mail:
nobody::1000:1000:::/bin/bash is fine when building LFS
note it has a valid shell. even worse, what was in the book was:
More information about the lfs-security