Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:11943
HistoryAug 17, 1999 - 12:00 a.m.

openlinux.lisa.help.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
24
JSON
`Date: Sat, 8 May 1999 23:46:40 -0400  
From: Andrew McRory <[email protected]>  
To: [email protected]  
Subject: OpenLinux 2.2: LISA install leaves root access without password  
  
Hello,  
  
I believe I've found a bug in the installation process of OpenLinux 2.2  
when using the LISA boot disk. During the installation a temporary passwd  
file is put on the new file system containing the user "help" set uid=0  
gid=0 and no password. Once you are prompted to set the root password and  
default user password a new passwd and shadow file is created yet the help  
user is left in the shadow file with, you guessed it, no password... Here  
are the offending entries:  
  
/etc/passwd  
help:x:0:0:install help user:/:/bin/bash  
  
/etc/shadow  
help::10709:0:365:7:7::  
  
Anyone who installed OpenLinux 2.2 using the LISA boot disk should check  
their password file now ;-)  
  
I found this using a cdrom I made from a mirror of the mirror at  
ftp.tux.org. Just to make sure I wasn't mixed up I redownloaded the  
install.144 file from ftp.calderasystems.com and tried again. Same thing.  
The install disk is version 137 dated 26Mar99 (displayed on the boot  
message).  
  
I wrote Caldera a message late in the day Friday regarding this bug but  
haven't heard back from anyone. I've tried to resist posting this until I  
hear back but I really feel people should know now!!  
  
PS: I'm not sure if Lizard, the graphical installation method, has this  
problem. It crashes before it does much here.... that's why I tried LISA.  
  
Thanks,  
  
  
  
Andrew McRory - [email protected] ***********************************  
Linux Systems Engineers / The PC Doctors *  
3009-C West Tharpe Street - Tallahassee, FL 32303 *  
Voice 850.575.7213 ***************************************************  
  
---------------------------------------------------------------------------  
  
Date: Sun, 9 May 1999 15:15:09 +0200  
From: Ralf Flaxa <[email protected]>  
To: [email protected]  
Subject: Re: [linux-security] OpenLinux 2.2: LISA install leaves root access without password  
  
Hi Andrew,  
  
We are currently checking whether this is a FTP version only  
phenomena or not.  
  
In any case we will make new (old style) LISA images available  
this afternoon (MET). Watch for the 138 images. I'll post a  
follow-up to this mail when they are available.  
  
Note that *only* the LISA (old style) install is affected.  
The lizard (new style, graphical) install is not affected.  
  
To avoid confusion - old style images carry 1xx numbers,  
new style images carry 2xx numbers.  
  
If you had to use the old style images, the quick fix  
is to remove (after installation) the lines starting with  
"help" from /etc/passwd and /etc/shadow.  
  
Until later  
  
Ralf  
  
On Sat, May 08, 1999 at 11:46:40PM -0400, Andrew McRory wrote:  
>  
> Hello,  
>  
> I believe I've found a bug in the installation process of OpenLinux 2.2  
> when using the LISA boot disk. During the installation a temporary passwd  
> file is put on the new file system containing the user "help" set uid=0  
> gid=0 and no password. Once you are prompted to set the root password and  
> default user password a new passwd and shadow file is created yet the help  
> user is left in the shadow file with, you guessed it, no password... Here  
> are the offending entries:  
>  
> /etc/passwd  
> help:x:0:0:install help user:/:/bin/bash  
>  
> /etc/shadow  
> help::10709:0:365:7:7::  
>  
> Anyone who installed OpenLinux 2.2 using the LISA boot disk should check  
> their password file now ;-)  
>  
> I found this using a cdrom I made from a mirror of the mirror at  
> ftp.tux.org. Just to make sure I wasn't mixed up I redownloaded the  
> install.144 file from ftp.calderasystems.com and tried again. Same thing.  
> The install disk is version 137 dated 26Mar99 (displayed on the boot  
> message).  
>  
> I wrote Caldera a message late in the day Friday regarding this bug but  
> haven't heard back from anyone. I've tried to resist posting this until I  
> hear back but I really feel people should know now!!  
>  
> PS: I'm not sure if Lizard, the graphical installation method, has this  
> problem. It crashes before it does much here.... that's why I tried LISA.  
>  
> Thanks,  
>  
>  
>  
> Andrew McRory - [email protected] ***********************************  
> Linux Systems Engineers / The PC Doctors *  
> 3009-C West Tharpe Street - Tallahassee, FL 32303 *  
> Voice 850.575.7213 ***************************************************  
>  
> --  
> ----------------------------------------------------------------------  
> Please refer to the information about this list as well as general  
> information about Linux security at http://www.aoy.com/Linux/Security.  
> ----------------------------------------------------------------------  
>  
> To unsubscribe:  
> mail -s unsubscribe [email protected] < /dev/null  
  
--  
_____ ___  
/ __/____/ / Caldera (Deutschland) GmbH  
/ /_/ __ / /__ Lazarettstr. 8, 91054 Erlangen  
/_____//_/ /____/ Dipl. Inf. Ralf Flaxa, email: [email protected]  
==== /_____/ ====== phone: ++49 9131 8978-23, fax: ++49 9131 8978-22  
Caldera OpenLinux PGP: 6D 02 48 48 87 9C 6A 9C 30 A8 4D 15 AC CA 96 10  
  
`
JSON