From nobody  Fri Jan  9 10:25:14 1998
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA25618;
          Fri, 9 Jan 1998 10:25:14 -0800 (PST)
          (envelope-from nobody)
Message-Id: <199801091825.KAA25618@hub.freebsd.org>
Date: Fri, 9 Jan 1998 10:25:14 -0800 (PST)
From: ken@bolingbroke.com
To: freebsd-gnats-submit@freebsd.org
Subject: Security compromised on new installation of FreeBSD
X-Send-Pr-Version: www-1.0

>Number:         5470
>Category:       conf
>Synopsis:       Security compromised on new installation of FreeBSD
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan  9 10:30:00 PST 1998
>Closed-Date:    Fri Jan 9 18:10:20 PST 1998
>Last-Modified:  Fri Jan  9 18:10:37 PST 1998
>Originator:     Ken Bolingbroke
>Release:        2.2.5-RELEASE
>Organization:
>Environment:
FreeBSD sacto.bolingbroke.com 2.2.5-RELEASE FreeBSD 2.2.5-RELEASE #0: Tue Oct 2114:33:00 GMT    jkh@time.cdrom.com:/usr/src/sys/compile/GENERIC  i386

>Description:
After initial network installation of FreeBSD, using the /stand/sysinstall
utility to add further software removes any modified user db and replaces
it with the default including a root account with *no* password.

I only noticed this when I got console messages of an attempted root login.
My system was compromised and at least one trojan horse was found on this
system.  Since it was a new installation, I just wiped the hard disk and
started over, but using /stand/sysinstall again wiped my new user db and
cleared the root password.  I haven't isolated the problem, but I'm using
/stand/sysinstall after the initial installation because X-Windows doesn't
seem to install correctly...
>How-To-Repeat:
Use /stand/sysinstall to add additional software...
>Fix:

>Release-Note:
>Audit-Trail:

From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
To: ken@bolingbroke.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: conf/5470: Security compromised on new installation of FreeBSD 
Date: Fri, 09 Jan 1998 16:17:39 -0800

 > After initial network installation of FreeBSD, using the /stand/sysinstall
 > utility to add further software removes any modified user db and replaces
 > it with the default including a root account with *no* password.
 
 When you say "to add further software", what do you mean?  You don't
 go and choose one of the bindist-containing "bundles" do you?  You go
 to the custom screen and avoid reinstalling the bindist, right?
 
 If not, then your probably is pilot error and not actually a security
 hole - sysinstall is merely doing exactly what you told it to do and
 I can close this PR. :)
 
 					Jordan
State-Changed-From-To: open->closed 
State-Changed-By: jkh 
State-Changed-When: Fri Jan 9 18:10:20 PST 1998 
State-Changed-Why:  
User installed bindist twice - this is the expected behavior. 
>Unformatted:
