Re: [linux-security] OpenLinux 2.2: LISA install leaves root

[rf () caldera de (Ralf Flaxa)]

Hi Andrew,

We are currently checking whether this is a FTP version only
phenomena or not.

In any case we will make new (old style) LISA images available
this afternoon (MET). Watch for the 138 images. I'll post a
follow-up to this mail when they are available.

Note that *only* the LISA (old style) install is affected.
The lizard (new style, graphical) install is not affected.

To avoid confusion - old style images carry 1xx numbers,
new style images carry 2xx numbers.

If you had to use the old style images, the quick fix
is to remove (after installation) the lines starting with
"help" from /etc/passwd and /etc/shadow.

Until later

        Ralf

On Sat, May 08, 1999 at 11:46:40PM -0400, Andrew McRory wrote:
> Hello,
>
> I believe I've found a bug in the installation process of OpenLinux 2.2
> when using the LISA boot disk. During the installation a temporary passwd
> file is put on the new file system containing the user "help" set uid=0
> gid=0 and no password. Once you are prompted to set the root password and
> default user password a new passwd and shadow file is created yet the help
> user is left in the shadow file with, you guessed it, no password... Here
> are the offending entries:
>
> /etc/passwd
>         help:x:0:0:install help user:/:/bin/bash
>
> /etc/shadow
>         help::10709:0:365:7:7::
>
> Anyone who installed OpenLinux 2.2 using the LISA boot disk should check
> their password file now ;-)
>
> I found this using a cdrom I made from a mirror of the mirror at
> ftp.tux.org. Just to make sure I wasn't mixed up I redownloaded the
> install.144 file from ftp.calderasystems.com and tried again. Same thing.
> The install disk is version 137 dated 26Mar99 (displayed on the boot
> message).
>
> I wrote Caldera a message late in the day Friday regarding this bug but
> haven't heard back from anyone. I've tried to resist posting this until I
> hear back but I really feel people should know now!!
>
> PS: I'm not sure if Lizard, the graphical installation method, has this
> problem. It crashes before it does much here.... that's why I tried LISA.
>
> Thanks,
>
>
>
> Andrew McRory - amacc () linuxsys com ***********************************
> Linux Systems Engineers / The PC Doctors                             *
> 3009-C West Tharpe Street - Tallahassee, FL 32303                    *
> Voice 850.575.7213 ***************************************************
>
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
>
> To unsubscribe:
>   mail -s unsubscribe linux-security-request () redhat com < /dev/null

--
      _____     ___
     /  __/____/  /                Caldera (Deutschland) GmbH
    /  /_/ __  / /__             Lazarettstr. 8, 91054 Erlangen
   /_____//_/ /____/       Dipl. Inf. Ralf Flaxa, email: rf () caldera de
  ==== /_____/ ======    phone: ++49 9131 8978-23, fax: ++49 9131 8978-22
   Caldera OpenLinux  PGP: 6D 02 48 48 87 9C 6A 9C  30 A8 4D 15 AC CA 96 10