[Pkg-sysvinit-devel] Bug#406588: init and telinit can reveal root pass on return from runlevel 1

Lewis Stoddart lewis at feayn.org
Fri Jan 12 03:33:55 CET 2007


Package: sysvinit
Version: 2.86.ds1-36
Severity: serious
Tags: security
 
Hi,
 
It seems that, upon returning from runlevel 1, init is failing to kill the recovery console, which then tries to run the user's password as a command when they try to log in again. /sbin/init and /sbin/telinit appear to give identical results. An earlier version of sysvinit (2.86.ds1-15) doesn not appear to be affected by this bug.
 
To reproduce:
 
1. log in as root at a local console.
 
2. run `init 1' to enter that runlevel.
 
3. enter root password (for maintenance).
 
4. run `init 2' to return to the original runlevel.
 
5. you should see a login: prompt. attempt to log in.
 
On my box, I got `bash: mypassword: command not found'. It's very embarrasing to see your root pass echoed to a terminal. 
 
Cheers, 
L
 
-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)

Versions of packages sysvinit depends on:
ii  initscripts                  2.86.ds1-36 Scripts for initializing and shutt
ii  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries
ii  libselinux1                  1.32-3      SELinux shared libraries
ii  libsepol1                    1.14-1      Security Enhanced Linux policy lib
ii  sysv-rc                      2.86.ds1-36 System-V-like runlevel change mech
ii  sysvinit-utils               2.86.ds1-36 System-V-like utilities

sysvinit recommends no packages.

-- no debconf information




More information about the Pkg-sysvinit-devel mailing list