From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040808 Firefox/0.9.3 Description of problem: The /etc/passwd file, installed by the setup package, contains the following line: root::0:0:root:/root:/bin/bash This is normally not a problem since during an installation from anaconda setting a root password is required. But, in the case of a manual installation on the purpose of creating a chroot environment, it creates a very serious security hazard: the chroot's root account is PASSWORDLESS! Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. create a chroot environment 2. login the chrooted environment with a normal account 3. do a su - Actual Results: You have full root access without any password Expected Results: the default root account shouldn't be active, passwordless, and with a valid shell Additional info:
*** This bug has been marked as a duplicate of 133762 ***
I'm all for resolving bugs as duplicates, but bug #133762 is hidden from public (and even hidden from not-so-public) view. Could you either unhide that one, or reconsider this one? This seems like a pretty reasonable suggestion to me. Thanks!
+1 to comment 2
I'll also second comment #2. +1
From that bug: Changing the default password file makes upgrades a mess, as you have to code in hacks to get changes propagated to users systems. And yes, for this case, I don't see the change being important enough; this is the way the system has been since at least RHL 4.x, to the best of my knowledge.
This has been fixed in fc6, it is root:*:0:0:root:/root:/bin/bash now