Return to BSD News archive
Path: sserve!newshost.anu.edu.au!munnari.oz.au!bunyip.cc.uq.oz.au!harbinger.cc.monash.edu.au!aggedor.rmit.EDU.AU!otto!davidb From: davidb@otto.bf.rmit.oz.au (David Burren [Athos]) Newsgroups: comp.os.386bsd.bugs Subject: Re: 386bsd login security bug Date: 17 Dec 93 07:13:14 GMT Organization: Royal Melbourne Institute of Technology, Melbourne, Australia. Lines: 18 Message-ID: <davidb.756112394@otto> References: <chrisjCHypxr.94s@netcom.com> <2ejpdk$jhs@zone4.ocunix.on.ca> NNTP-Posting-Host: otto.bf.rmit.edu.au In <2ejpdk$jhs@zone4.ocunix.on.ca> roo@zone4.ocunix.on.ca (Andrew Low) writes: > I just discovered this myself and was very suprised. I was trying > to allow 'root' to have no password, but only allow root logins from > the console (secure) or let people in the group wheel 'su' to root. > If it's a 'feature', I'd like to hear the defence for this behaviour. > Until then I too consider it a bug that needs to be fixed. (I'm using > NetBSD-0.9). The patch seems simple enough, but I'd like to see it > or a variation of it in the release version(s). It was reported recently and the fix has been applied to NetBSD-current. Thus it is fixed there and will be fixed in the next official release. Until then it only affects sites with null root passwords, which have their own set of security concerns anyway... - David B.