[Pkg-sysvinit-devel] Bug#406588: init and telinit can reveal root
pass on return from runlevel 1
Lewis Stoddart
lewis at feayn.org
Fri Jan 12 03:33:55 CET 2007
Package: sysvinit
Version: 2.86.ds1-36
Severity: serious
Tags: security
Hi,
It seems that, upon returning from runlevel 1, init is failing to kill the recovery console, which then tries to run the user's password as a command when they try to log in again. /sbin/init and /sbin/telinit appear to give identical results. An earlier version of sysvinit (2.86.ds1-15) doesn not appear to be affected by this bug.
To reproduce:
1. log in as root at a local console.
2. run `init 1' to enter that runlevel.
3. enter root password (for maintenance).
4. run `init 2' to return to the original runlevel.
5. you should see a login: prompt. attempt to log in.
On my box, I got `bash: mypassword: command not found'. It's very embarrasing to see your root pass echoed to a terminal.
Cheers,
L
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Versions of packages sysvinit depends on:
ii initscripts 2.86.ds1-36 Scripts for initializing and shutt
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libselinux1 1.32-3 SELinux shared libraries
ii libsepol1 1.14-1 Security Enhanced Linux policy lib
ii sysv-rc 2.86.ds1-36 System-V-like runlevel change mech
ii sysvinit-utils 2.86.ds1-36 System-V-like utilities
sysvinit recommends no packages.
-- no debconf information
More information about the Pkg-sysvinit-devel
mailing list