September 5, 200718 yr Tom, Even after assigning "root" a password, I can still telnet in and get to a shell prompt with any of the following IDs without a password. bin, daemon, adm ,lp ,mail ,news, uucp, operator, games, ftp, smmsp, mysql,sshd, gdm, pop Granted, they do not have root authority, but I'll bet it would be easy to take over the server using many of those. Certainly, you can read files you might not have access to otherwise. Even more interesting is logging in as "halt" or "shutdown" You have masked these system logins from showing themselves on the "Users" page, but left them wide open by not assigning a default password or blocking their direct use by putting an asterisk in the password field in the passwd file. You have a bit of work to do before unRaid 4.2 is ready for use on a business LAN. Assigning passwords to ALL accounts would be a great first step. Joe L.
September 5, 200718 yr Heh, how many hackers know about those accounts?? Problem fixed in 4.2-beta2. (Had forgotten to create /etc/nologin file in target system root directory.)
September 5, 200718 yr Author Heh, how many hackers know about those accounts?? Problem fixed in 4.2-beta2. (Had forgotten to create /etc/nologin file in target system root directory.) Ya know.... it works much better now in 4.2-beta2... And yes, I would guess most of the hackers know those potential logins Security through obscurity never works for long. By the way, the -p option to emhttp is really nice. I was going to ask you to put it on your laundry list, but you beat me to it. Joe L.
Archived
This topic is now archived and is closed to further replies.