*BSD News Article 25089


Return to BSD News archive

Path: sserve!newshost.anu.edu.au!munnari.oz.au!bunyip.cc.uq.oz.au!harbinger.cc.monash.edu.au!aggedor.rmit.EDU.AU!otto!davidb
From: davidb@otto.bf.rmit.oz.au (David Burren [Athos])
Newsgroups: comp.os.386bsd.bugs
Subject: Re: 386bsd login security bug
Date: 17 Dec 93 07:13:14 GMT
Organization: Royal Melbourne Institute of Technology, Melbourne, Australia.
Lines: 18
Message-ID: <davidb.756112394@otto>
References: <chrisjCHypxr.94s@netcom.com> <2ejpdk$jhs@zone4.ocunix.on.ca>
NNTP-Posting-Host: otto.bf.rmit.edu.au

In <2ejpdk$jhs@zone4.ocunix.on.ca> roo@zone4.ocunix.on.ca (Andrew Low) writes:

> I just discovered this myself and was very suprised.  I was trying
> to allow 'root' to have no password, but only allow root logins from
> the console (secure) or let people in the group wheel 'su' to root.

> If it's a 'feature', I'd like to hear the defence for this behaviour.
> Until then I too consider it a bug that needs to be fixed. (I'm using
> NetBSD-0.9).  The patch seems simple enough, but I'd like to see it
> or a variation of it in the release version(s).

It was reported recently and the fix has been applied to NetBSD-current.
Thus it is fixed there and will be fixed in the next official release.

Until then it only affects sites with null root passwords, which have
their own set of security concerns anyway...

- David B.