The creation of "lfs" user and its possible security issues
Bruce Dubbs
bruce.dubbs at gmail.com
Wed Mar 5 18:51:52 MST 2008
Robert Connolly wrote:
> On Monday March 3 2008 07:47:16 am mundoalem wrote:
>> Hello everyone!
>>
>> As I was reading for the first time the Linux From Scratch
>> books version 6.3 this weekend, I noticed that section:
>>
>> "4.3. Adding the LFS User"
>> http://www.linuxfromscratch.org/lfs/view/stable/chapter04/addinguser.html
>>
>> is lacking of notes on security issues about the creation
>> of the "lfs" user and "lfs" group. I know the book just can't
>> cover every aspect of security problems and errors it might
>> occur if you do the things the book tells you to do.
>> The sysadm should know what he is typing.
>
> A weak password on the lfs account could lead to both local and remote
> unauthorized use, which in turn could lead to a trojan-horsed coreutils
> patch, which leads to a privilege escalation from /tools when root runs the
> coreutils test suite, and then a root backdoor.
>
> It could happen.
IMO, only if there are untrusted users on the system or sshd is
misconfigured with PermitEmptyPasswords.
We can't cover *every* possibility.
-- Bruce
More information about the lfs-dev
mailing list