[Pkg-shadow-devel] Bug#1041547: login: I can login as root without password despite it being forbidden

ircuser at gmail.com ircuser at gmail.com
Thu Jul 20 18:10:14 BST 2023 

Package: login
Version: 1:4.13+dfsg1-1+b1
Severity: serious
X-Debbugs-Cc: ircuser at gmail.com

Dear Maintainer,

On a newly installed debian bookworm /usr/share/doc/passwd/NEWS.Debian.gz mentions a new PREVENT_NO_AUTH option that is supposed to prevent login to passwordless accounts.

The option is found in /etc/login.defs and has the default value:
PREVENT_NO_AUTH superuser

I removed root password using `passwd -d root` so that `grep root /etc/shadow` reads:
root::19519:0:99999:7:::

I can now login to root on a tty just by typing root as the login name. I can also login to root just by typing `su` from a regular user account. "PREVENT_NO_AUTH superuser" has no effect.

I then changed the option to "PREVENT_NO_AUTH yes", which is supposed to prevent all passwordless account login.

I created a new user account `useradd -m -s /bin/bash testuser` and deleted its password `passwd -d testuser`. If I run `grep testuser /etc/shadow` it reads:
testuser::19558:0:99999:7:::

I can now also login to this account on a tty without any password. `su newuser` also doesn't need any password. I can also still login to the root account by doing `su`.

https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/su.c/?hl=504#L504

and

https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/login.c/?hl=980#L980

indicate that this should not be possible. It looks like PREVENT_NO_AUTH doesn't do anything at all.

This was replicated on IRC by another user too.


-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages login depends on:
ii  libaudit1       1:3.0.9-1
ii  libc6           2.36-9
ii  libcrypt1       1:4.4.33-2
ii  libpam-modules  1.5.2-6
ii  libpam-runtime  1.5.2-6
ii  libpam0g        1.5.2-6

login recommends no packages.

login suggests no packages.

-- Configuration Files:
/etc/login.defs changed:
MAIL_DIR        /var/mail
FAILLOG_ENAB		yes
LOG_UNKFAIL_ENAB	no
LOG_OK_LOGINS		no
SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes
FTMP_FILE	/var/log/btmp
SU_NAME		su
HUSHLOGIN_FILE	.hushlogin
ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
TTYGROUP	tty
TTYPERM		0600
ERASECHAR	0177
KILLCHAR	025
UMASK		022
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
UID_MIN			 1000
UID_MAX			60000
SUB_UID_MIN		   100000
SUB_UID_MAX		600100000
SUB_UID_COUNT		    65536
GID_MIN			 1000
GID_MAX			60000
SUB_GID_MIN		   100000
SUB_GID_MAX		600100000
SUB_GID_COUNT		    65536
LOGIN_RETRIES		5
LOGIN_TIMEOUT		60
CHFN_RESTRICT		rwh
DEFAULT_HOME	yes
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
NONEXISTENT	/nonexistent
PREVENT_NO_AUTH yes


-- no debconf information

More information about the Pkg-shadow-devel mailing list