From owner-freebsd-bugs  Fri Jan  9 16:20:05 1998
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id QAA00865
          for bugs-outgoing; Fri, 9 Jan 1998 16:20:05 -0800 (PST)
          (envelope-from owner-freebsd-bugs)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id QAA00802;
          Fri, 9 Jan 1998 16:20:01 -0800 (PST)
          (envelope-from gnats)
Date: Fri, 9 Jan 1998 16:20:01 -0800 (PST)
Message-Id: <199801100020.QAA00802@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Subject: Re: conf/5470: Security compromised on new installation of FreeBSD 
Reply-To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR conf/5470; it has been noted by GNATS.

From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
To: ken@bolingbroke.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: conf/5470: Security compromised on new installation of FreeBSD 
Date: Fri, 09 Jan 1998 16:17:39 -0800

 > After initial network installation of FreeBSD, using the /stand/sysinstall
 > utility to add further software removes any modified user db and replaces
 > it with the default including a root account with *no* password.
 
 When you say "to add further software", what do you mean?  You don't
 go and choose one of the bindist-containing "bundles" do you?  You go
 to the custom screen and avoid reinstalling the bindist, right?
 
 If not, then your probably is pilot error and not actually a security
 hole - sysinstall is merely doing exactly what you told it to do and
 I can close this PR. :)
 
 					Jordan