[14706] in bugtraq
Re: piranha default password/exploit
daemon@ATHENA.MIT.EDU (Matt Wilson)
Thu Apr 27 13:26:03 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000427002611.D1315@devserv.devel.redhat.com>
Date: Thu, 27 Apr 2000 00:26:11 -0400
Reply-To: Matt Wilson <msw@REDHAT.COM>
From: Matt Wilson <msw@REDHAT.COM>
X-To: CDI <cdi@THEWEBMASTERS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.3.95.1000425182251.10902B-100000@animal.blarg.net>;
from cdi@THEWEBMASTERS.NET on Tue, Apr 25,
2000 at 06:36:52PM -0700
On Tue, Apr 25, 2000 at 06:36:52PM -0700, CDI wrote:
> OK, so they've fixed the poorly thought out system call that led to
> this compromise, but I'd suggest a change to the RPM spec file for the
> next build. Something like this should work? (Philip?) - force them to set
> a password during the installation process...
Sorry, interactive RPMS are not supported at all. If you were to do
this, the installer would hang during the installation of the piranha
package, waiting for input on a virtual console that the user will
never see. We prefer to leave web administration interfaces such as
piranha and linuxconf disabled by default. The latest package of
piranha (piranha-0.4.14-1.i386.rpm) disables the web interface until
enabled by the system administrator.
Matt
--
msw@redhat.com
Installer Developer
OS Development, Red Hat Inc.
