[I am unaware of a bug reporting format, so here is my report.  If there
is a bug report format, please forward a pointer and I will re-submit]

This was reported in comp.os.386bsd.bugs recently, and I would not
be surprised if this 'bug' has been reported before..

Situation: 
All users have passwords, root has NO password
/etc/ttys has only console as a secure login (others are left blank)

Demonstration of Bug:
User telnets to localhost
At login prompt enters 'root'
Root access allowed.

Why it happens:
/usr/src/usr.bin/login.c fails to check the tty (doesn't call rootterm)
if there is no password for the login.  This is WRONG.  If there is no
password the tty should still be checked to see if a root login is 
permitted on this tty.

Why change it:
Physical access to the system usually means root access priviledges.  In
the worst case the person brings a BSD boot disk and gains root access
in that manner.  Allowing the console to be secure means root logins
are really easy if there is no password.  Same for people in the group
wheel who want to 'su' to root.  If they aren't in the group, they can't
'su'.  

---->InSaNiTyNoW!<---- ! (H)acker ! There is a ! (Cr)acker
roo@zone4.ocunix.on.ca ! (H)onest ! difference ! (Cr)iminal	

------------------------------------------------------------------------------