Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Apr 2004 13:38:47 +0200
From:      "MaXX" <admsrv_maxx@hotmail.com>
To:        <freebsd-questions@FreeBSD.org>
Subject:   Possible security hole in FreeBSD 4.8-RELEASE????
Message-ID:  <BAY16-DAV15Y0W9PMy50002ca5d@hotmail.com>

next in thread | raw e-mail | index | archive | help
Good afternoon,
    I have installed FreeBSD 4.8Release on a machine to experiment settings
before attempting to place them on my "server". Due to a problem with the
port system on this machine I decided to reinstall only the port system via
sysinstall, during the process, I switched to anoter console (ttyv3) and
login as root, the password was not asked...
    Hopefully I was not able to connect the machine via Telnet and so on,
but I ask myself, if the root password is cleared by sysinstall, there can
be more possibilities to acces the machine via some other techniques, I'm
some kind of newbie, but since Apache still running there can be some
"hacking techniques" to gain root rights on the machine....
Security is not a "real" concern for me because those machines are my home
network but for people who uses freeBSD as production machine, I could be
interesting to warn them about this fact and ask them to shutdown most of
the network related services (like apache) during such process. I also know
that poduction machine are not updated that way so often (sysadmins are not
as stupid as me) but who knows when an attack will appen?

Sam
P.S.: Sorry for my bad english and thank again. I'm very interested in
FreeBSD and I still availlable for comments... Have a nice day! Ho i Forgot:
 FreeBSD 4.8-RELEASE #0: Thu Apr 3 10:53:38 GMT 2003
 root@freebdsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC i386



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY16-DAV15Y0W9PMy50002ca5d>