Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
On Wed, Feb 25, 2009 at 12:02:58AM -0500, Michael Gilbert wrote:
> since there is no root password set up during installation, a local
> attacker can simply boot into the root account (without being prompted
> for a password) via single user mode ("single" kernel option).
Have you tested that this is actually the case?
"no password" != "empty password". Booting in single user mode should not
allow you to bypass the password prompt, and if it does, that's a bug in the
sulogin program.
> [1] discusses the details of the method for password recovery, but the
> same can be used for malicious purposes, of course.
> [1] http://linuxwave.blogspot.com/2008/09/ubuntu-forgotten-password.html
This link explicitly shows overriding the init value in the bootloader.
That doesn't appear to have anything to do with vulnerabilities with how the
root account is set up.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: