[lug] Possible compromise?
nagler at bivio.biz
Sun Jan 19 08:29:36 MST 2003
Rob Nagler writes:
> You can "su" without a password.
I booted the machine this morning, and the root password was empty.
Even though shadow passwords are enabled, a blank means anybody can
get in. You need an "x" in the password to force the shadow lookup.
And, sshd won't allowed you in without a password, but PAM (or
whatever) will let you in with any password when none is required.
The way /etc/passwd got this way is unclear, but probably related to
the way we configure machines with RPMs. /etc/passwd used to be
checked in until we moved to a new system that checks for existing
accounts and creates them if they aren't there in the %post of the
RPM. (See http://petshop.bivio.biz/src?s=Bivio::Util::LinuxConfig)
I don't think there was a breach, although the machine was wide open
for a few days.
More information about the LUG