[189] in linux-security and linux-alert archive
Re: security hole in Yggdrasil Linux
daemon@ATHENA.MIT.EDU (Adam J. Richter)
Mon Apr 3 09:40:53 1995
Date: Mon, 3 Apr 95 02:41 PDT
From: adam@yggdrasil.com (Adam J. Richter)
To: swlaemmr@fsh.mtu.edu, ganderson@clark.net, okir@monad.swb.de
In article <3lmgd9$fpp@fishlab3.fsh.mtu.edu>,
Shawn W. Laemmrich <swlaemmr@mtu.edu> wrote:
>Just writing this to inform everyone out there that there is a MAJOR hole in
>the security of Yggdrasil's release of linux. They have coded in a backdoor
>that is common to all their releases. THey have created an extra root user
>and hidden it. THey claim it was done in case your system went down, and you
>aasked them to fix it, and forgot to give them the root password. In reality,
>once someone knows this password (not real hard to guess) they have root
>access on all machines running Yggdrasil Linux. I believe(but am not posative)
>that upgrading your kernal to a non-yggdrasil release will elimonate this
There was an accidental security whole in the Fall '94 release
of Plug-and-Play Linux that caused machines on the internet to trust
the trusted machines at Yggdrasil, fixable with "cp /dev/null ~root/.rhosts".
See ftp.yggdrasil.com:pub/fall94/errata for more information.
I suspect that that bug is the basis for the urban myth that is
your posting. We have *never* deliberately put any kind of security
hole or back door in any release of Plug-and-Play Linux or any other
Yggdrasil product, and we never will.
As a quick sanity check, I just mounted both the Fall '94 cd and
the "December 1994" CD (a slightly updated version of the Fall '94 cd),
and checked both /ramdisk/var/etc/passwd and /dup_ramdisk/var/etc/passwd.
Nothing unusual. If you believe that you have found a security hole,
please report it to us immediately.
Your story that "[Yggdrasil] claim that it ws done in case your
system went down" is ridiculous. Just to check my own sanity, I will have
a meeting with everyone at the office on Monday morning to find out if
anyone can possibly recall making a statement like the one you described.
Did you personally talk to someone at Yggdrasil? If not, who
told you this incredible story? I want to find the source of this
damaging rumor.
Please substantiate or retract your statements immediately.
