[Pkg-shadow-devel] Bug#1041547: Bug#1041547: login: I can login as root without password despite it being forbidden

[Serge E. Hallyn]

On Thu, Jul 20, 2023 at 05:10:14PM +0000, ircuser at gmail.com wrote:
> Package: login
> Version: 1:4.13+dfsg1-1+b1
> Severity: serious
> X-Debbugs-Cc: ircuser at gmail.com
> 
> Dear Maintainer,
> 
> On a newly installed debian bookworm /usr/share/doc/passwd/NEWS.Debian.gz mentions a new PREVENT_NO_AUTH option that is supposed to prevent login to passwordless accounts.
> 
> The option is found in /etc/login.defs and has the default value:
> PREVENT_NO_AUTH superuser
> 
> I removed root password using `passwd -d root` so that `grep root /etc/shadow` reads:
> root::19519:0:99999:7:::
> 
> I can now login to root on a tty just by typing root as the login name. I can also login to root just by typing `su` from a regular user account. "PREVENT_NO_AUTH superuser" has no effect.
> 
> I then changed the option to "PREVENT_NO_AUTH yes", which is supposed to prevent all passwordless account login.
> 
> I created a new user account `useradd -m -s /bin/bash testuser` and deleted its password `passwd -d testuser`. If I run `grep testuser /etc/shadow` it reads:
> testuser::19558:0:99999:7:::
> 
> I can now also login to this account on a tty without any password. `su newuser` also doesn't need any password. I can also still login to the root account by doing `su`.
> 
> https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/su.c/?hl=504#L504
> 
> and
> 
> https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/login.c/?hl=980#L980
> 
> indicate that this should not be possible. It looks like PREVENT_NO_AUTH doesn't do anything at all.
> 
> This was replicated on IRC by another user too.

The shadow code enforcing PREVENT_NO_AUTH is in the !ifdef PAM case.

-serge