MAJOR hole in 5.0

Dagmar d'Surreal dagmar.wants at nospam.com
Thu Sep 25 17:25:24 PDT 2003


On Thu, 2003-09-25 at 14:35, Matthias Benkmann wrote:
> On Thu, 25 Sep 2003 19:47:20 +0100 Chris Lingard <chris at stockwith.co.uk>
> wrote:
> 
> > Remove user nobody, as this will now be a security risk, when
> > you put your new LFS systm on the internet. 
> 
> Yes, and make sure to tell them that they should only ever use the root
> account because all normal user accounts are a security risk when you put
> your system on the Internet.

Hey now, no need to be a smart-ass.  There are people reading who might
not realize that's supposed to be ironic.  =O

> Could someone please tell me, how a user account called "nobody" with no
> valid shell and no password that doesn't own any files is a major security
> risk and a user account called "miller" with a valid shell and password
> that owns files and has write access to /home/miller is not?
> 
> MSB

Ian already stated that he misspoke in calling it a "major" hole, as it
is a relatively minor issue since it poses a configuration error[1]
after coreutils has been tested, and a control error[2] afterwords if
the nobody uid is not being used on the system.

Changing it to another name is pretty pointless, as no brute force
password guessing attacks are going to be able to guess the plaintext
for nonexistant ciphertext.

[1] - Role accounts not valid for login should not have a valid login
shell.

[2] - Accounts which are not being used and do not have a user attached
to them should be deleted.
-- 
The email address above is phony because the people making archives of list
traffic publicly available on the web aren't taking measures to protect the
email addresses from filthy spammers.  
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the lfs-security mailing list