Re: Passwordless root shell is offered when boot problem occurs.

To: debian-user@lists.debian.org
Subject: Re: Passwordless root shell is offered when boot problem occurs.
From: Arno Schuring <aelschuring@hotmail.com>
Date: Sat, 3 Dec 2011 15:00:13 +0100
Message-id: <[🔎] 20111203150013.1fa5bb45@neminis.intra.loos.site>
In-reply-to: <[🔎] 4ed9ffc7.c48dcd0a.3323.ffff8fcc@mx.google.com>
References: <4ed32ea3.0611cc0a.0f76.ffffe07e@mx.google.com> <20111128171700.61ae32ed@neminis.intra.loos.site> <[🔎] 4ed7b162.4713cc0a.158a.544a@mx.google.com> <[🔎] 20111202000209.2394c79e@neminis.intra.loos.site> <[🔎] 4ed889b7.c798cc0a.1b8c.ffffe8f9@mx.google.com> <[🔎] 20111203000543.44f5a1ef@neminis.intra.loos.site> <[🔎] 4ed9ffc7.c48dcd0a.3323.ffff8fcc@mx.google.com>

Sthu Deus (sthu.deus@gmail.com on 2011-12-03 17:53 +0700):
> >[..] A standard Debian config
> >should not offer a passwordless root shell unless you explicitly ask
> >for it,
> 
> Oh, no! I didn't! :)
> 
> Do You have an idea where to look for that? - I have no ideas,
> absolutely.

Just as a pointer, you can get a passwordless root shell by:

- interrupting initramfs: specify break=init on the kernel command
  line
- overriding init: specify init=/bin/bash on the kernel command line
- configuring inittab: either add a bootwait line spawning /bin/*sh
  or tell getty to bypass login with -l /bin/*sh
- setting SULOGIN=yes in /etc/default/rcS, and either
  a) locking the root account (passwd -l root), which will give you
     "sulogin: root account is locked, starting shell"
  b) deleting root's password (passwd -d root), which will give you
     "Press enter for maintenance(or type Control-D to continue)"

All four methods above will give you an unconditional root shell. Since
yours only spawns on error, none of the above applies.

> 
> On other hand, if we pursue this idea - that physical access makes a
> host absolutely undefended, - we can let root account to be
> password-less - for why worrying?

Setting a root password will still protect you from remote users that
have access to login programs (such as su). Locking the root account
reduces the attack surface to your sudoers configuration.


Regards,
Arno

Reply to:

Follow-Ups:
- Re: Passwordless root shell is offered when boot problem occurs.
  - From: Sthu Deus <sthu.deus@gmail.com>

References:
- Re: Passwordless root shell is offered when boot problem occurs.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: Passwordless root shell is offered when boot problem occurs.
  - From: Arno Schuring <aelschuring@hotmail.com>
- Re: Passwordless root shell is offered when boot problem occurs.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: Passwordless root shell is offered when boot problem occurs.
  - From: Arno Schuring <aelschuring@hotmail.com>
- Re: Passwordless root shell is offered when boot problem occurs.
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: Adding subtitles to video file
Next by Date: Re: Can I help?
Previous by thread: Re: Passwordless root shell is offered when boot problem occurs.
Next by thread: Re: Passwordless root shell is offered when boot problem occurs.
Index(es):
- Date
- Thread