Date: Sat, 8 May 1999 23:46:40 -0400 From: Andrew McRory <amacc@MAILER.ORG> Subject: OpenLinux 2.2: LISA install leaves root access without password To: BUGTRAQ@NETSPACE.ORG Hello, I believe I've found a bug in the installation process of OpenLinux 2.2 when using the LISA boot disk. During the installation a temporary passwd file is put on the new file system containing the user "help" set uid=0 gid=0 and no password. Once you are prompted to set the root password and default user password a new passwd and shadow file is created yet the help user is left in the shadow file with, you guessed it, no password... Here are the offending entries: /etc/passwd help:x:0:0:install help user:/:/bin/bash /etc/shadow help::10709:0:365:7:7:: Anyone who installed OpenLinux 2.2 using the LISA boot disk should check their password file now ;-) I found this using a cdrom I made from a mirror of the mirror at ftp.tux.org. Just to make sure I wasn't mixed up I redownloaded the install.144 file from ftp.calderasystems.com and tried again. Same thing. The install disk is version 137 dated 26Mar99 (displayed on the boot message). I wrote Caldera a message late in the day Friday regarding this bug but haven't heard back from anyone. I've tried to resist posting this until I hear back but I really feel people should know now!! PS: I'm not sure if Lizard, the graphical installation method, has this problem. It crashes before it does much here.... that's why I tried LISA. Thanks, Andrew McRory - amacc@linuxsys.com *********************************** Linux Systems Engineers / The PC Doctors * 3009-C West Tharpe Street - Tallahassee, FL 32303 * Voice 850.575.7213 ***************************************************