linux security - May 1999 - OpenLinux 2.2: LISA install leaves root access without password

Hello,

I believe I''ve found a bug in the installation process of OpenLinux 2.2
when using the LISA boot disk. During the installation a temporary passwd
file is put on the new file system containing the user "help" set
uid=0
gid=0 and no password. Once you are prompted to set the root password and
default user password a new passwd and shadow file is created yet the help
user is left in the shadow file with, you guessed it, no password... Here
are the offending entries:

/etc/passwd
        help:x:0:0:install help user:/:/bin/bash

/etc/shadow
        help::10709:0:365:7:7::

Anyone who installed OpenLinux 2.2 using the LISA boot disk should check
their password file now ;-)

I found this using a cdrom I made from a mirror of the mirror at
ftp.tux.org. Just to make sure I wasn''t mixed up I redownloaded the
install.144 file from ftp.calderasystems.com and tried again. Same thing.
The install disk is version 137 dated 26Mar99 (displayed on the boot
message).

I wrote Caldera a message late in the day Friday regarding this bug but
haven''t heard back from anyone. I''ve tried to resist posting
this until I
hear back but I really feel people should know now!!

PS: I''m not sure if Lizard, the graphical installation method, has this
problem. It crashes before it does much here.... that''s why I tried
LISA.

Thanks,



Andrew McRory - amacc@linuxsys.com ***********************************
Linux Systems Engineers / The PC Doctors                             *
3009-C West Tharpe Street - Tallahassee, FL 32303                    *
Voice 850.575.7213 ***************************************************

Hi Andrew,

We are currently checking whether this is a FTP version only
phenomena or not.

In any case we will make new (old style) LISA images available
this afternoon (MET). Watch for the 138 images. I''ll post a
follow-up to this mail when they are available.

Note that *only* the LISA (old style) install is affected.
The lizard (new style, graphical) install is not affected.

To avoid confusion - old style images carry 1xx numbers,
new style images carry 2xx numbers.

If you had to use the old style images, the quick fix
is to remove (after installation) the lines starting with
"help" from /etc/passwd and /etc/shadow.

Until later

	Ralf

On Sat, May 08, 1999 at 11:46:40PM -0400, Andrew McRory
wrote:
>
> Hello,
>
> I believe I''ve found a bug in the installation process of
OpenLinux 2.2
> when using the LISA boot disk. During the installation a temporary passwd
> file is put on the new file system containing the user "help" set
uid=0
> gid=0 and no password. Once you are prompted to set the root password and
> default user password a new passwd and shadow file is created yet the help
> user is left in the shadow file with, you guessed it, no password... Here
> are the offending entries:
>
> /etc/passwd
>         help:x:0:0:install help user:/:/bin/bash
>
> /etc/shadow
>         help::10709:0:365:7:7::
>
> Anyone who installed OpenLinux 2.2 using the LISA boot disk should check
> their password file now ;-)
>
> I found this using a cdrom I made from a mirror of the mirror at
> ftp.tux.org. Just to make sure I wasn''t mixed up I redownloaded
the
> install.144 file from ftp.calderasystems.com and tried again. Same thing.
> The install disk is version 137 dated 26Mar99 (displayed on the boot
> message).
>
> I wrote Caldera a message late in the day Friday regarding this bug but
> haven''t heard back from anyone. I''ve tried to resist
posting this until I
> hear back but I really feel people should know now!!
>
> PS: I''m not sure if Lizard, the graphical installation method, has
this
> problem. It crashes before it does much here.... that''s why I
tried LISA.
>
> Thanks,
>
>
>
> Andrew McRory - amacc@linuxsys.com ***********************************
> Linux Systems Engineers / The PC Doctors                             *
> 3009-C West Tharpe Street - Tallahassee, FL 32303                    *
> Voice 850.575.7213 ***************************************************
>
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
>
> To unsubscribe:
>   mail -s unsubscribe linux-security-request@redhat.com < /dev/null
--
      _____     ___
     /  __/____/  /                Caldera (Deutschland) GmbH
    /  /_/ __  / /__             Lazarettstr. 8, 91054 Erlangen
   /_____//_/ /____/       Dipl. Inf. Ralf Flaxa, email: rf@caldera.de
  ==== /_____/ ======    phone: ++49 9131 8978-23, fax: ++49 9131 8978-22
   Caldera OpenLinux  PGP: 6D 02 48 48 87 9C 6A 9C  30 A8 4D 15 AC CA 96 10