[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw

On Wed, Feb 25, 2009 at 12:02:58AM -0500, Michael Gilbert wrote:
> since there is no root password set up during installation, a local
> attacker can simply boot into the root account (without being prompted
> for a password) via single user mode ("single" kernel option).

Have you tested that this is actually the case?
"no password" != "empty password".  Booting in single user mode should not
allow you to bypass the password prompt, and if it does, that's a bug in the
sulogin program.

> [1] discusses the details of the method for password recovery, but the
> same can be used for malicious purposes, of course.

> [1] http://linuxwave.blogspot.com/2008/09/ubuntu-forgotten-password.html

This link explicitly shows overriding the init value in the bootloader. 
That doesn't appear to have anything to do with vulnerabilities with how the
root account is set up.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
Reply to: