On Wednesday 28 Feb 2007 02:52:08 Manoj Srivastava wrote:
On Wed, 28 Feb 2007 00:59:06 +0530, Mrugesh Karnik said:
Also, I found a MAJOR security bug with respect to the sudo integration. I enabled it and found that root login with a blank password was possible. I haven't tried updating the system yet. If the bug persists, I'll report it.
I did not see a bug filed about this for the installer, so Itook the liberty of forwarding this to the debian installer leads, Frans Pop and Joeyh Hess. They agreedd that if this is the case, then this is a huge bug; but so far none of the testors has reported anything similar.
However, we are now trying to reproduce this bug, andinvestigating how it happened. On repeated testing, we can't reproduce the passwordless root account. Frans Pop says he gets a "!" in the /etc/shadow file, which means login disabled.
Yes, I discussed that with Vihan yesterday. The bug could have been something like a missing ! in the shadow file. I realised that I should have checked that before I assigned a root password manually. Then again, this is exactly how I assigned the root password anyway. Logged in as root on the console with a blank password and simply used passwd. Anyway, I'll reinstall and see if I can reproduce it.
Is there any additional information you can provide us, on howto reproduce the passwordless root account, and the crashes? A formal installtion report via reportbug would be much appreciated, preferably with the latest daily build of the installer, and a sequence of steps to follow to reproduce it.
Hmmm. I'll download the daily build. To be honest, the Debian website confuses me as to what exactly I should download.
Anyway, as I said above, I'll try to reproduce the bug with this set of DVDs I have first.