On Wed, 28 Feb 2007 00:59:06 +0530, Mrugesh Karnik said:
Also, I found a MAJOR security bug with respect to the sudo integration. I enabled it and found that root login with a blank password was possible. I haven't tried updating the system yet. If the bug persists, I'll report it.
I did not see a bug filed about this for the installer, so I took the liberty of forwarding this to the debian installer leads, Frans Pop and Joeyh Hess. They agreedd that if this is the case, then this is a huge bug; but so far none of the testors has reported anything similar.
However, we are now trying to reproduce this bug, and investigating how it happened. On repeated testing, we can't reproduce the passwordless root account. Frans Pop says he gets a "!" in the /etc/shadow file, which means login disabled.
http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=388003 http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=400766
have been fixed in the latest installers (use the daily installer build to get the fixed versions)
Is there any additional information you can provide us, on how to reproduce the passwordless root account, and the crashes? A formal installtion report via reportbug would be much appreciated, preferably with the latest daily build of the installer, and a sequence of steps to follow to reproduce it.
manoj