Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 517018@bugs.debian.org
Subject: Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
From: Steve Langasek <vorlon@debian.org>
Date: Tue, 24 Feb 2009 23:56:14 -0800
Message-id: <[🔎] 20090225075614.GA11077@dario.dodds.net>
Reply-to: Steve Langasek <vorlon@debian.org>, 517018@bugs.debian.org
In-reply-to: <[🔎] 20090225014305.6d2cce0d.michael.s.gilbert@gmail.com>
References: <[🔎] 20090225000258.6cb73530.michael.s.gilbert@gmail.com> <[🔎] 20090225061252.GB1106@dario.dodds.net> <[🔎] 20090225014305.6d2cce0d.michael.s.gilbert@gmail.com>

reassign 517018 sysvinit-utils
thanks

On Wed, Feb 25, 2009 at 01:43:05AM -0500, Michael Gilbert wrote:
> On Tue, 24 Feb 2009 22:12:52 -0800 Steve Langasek wrote:
> > > since there is no root password set up during installation, a local
> > > attacker can simply boot into the root account (without being prompted
> > > for a password) via single user mode ("single" kernel option).

> > Have you tested that this is actually the case?

> yes.

Ok; reassigning to sysvinit-utils.

> i'm not entirely sure what the installer is doing (i assume that it
> generates a random password since "su" itself still requires a password),
> but the easiest way i could think to describe the problem was by the term
> no-root.  if there is better terminology that i can use, please let me
> know.

What this is supposed to do is configure the root account without a valid
password.  You can verify this is the case by checking whether root's
password field in /etc/shadow is set to '*' or '!'.

Looking at sulogin's code, it treats this as an invalid password (which is
true), and as a result bypasses the password check entirely (which is
questionable).

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to:

Follow-Ups:
- Processed: Re: Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

References:
- Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
  - From: Steve Langasek <vorlon@debian.org>
- Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Re: Backup coordinator for Kazakh l10n
Next by Date: Processed: Re: Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
Previous by thread: Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
Next by thread: Processed: Re: Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
Index(es):
- Date
- Thread