[Pkg-sysvinit-devel] Bug#406587: init and telinit can reveal root pass on return from runlevel 1

[Lewis Stoddart]

Subject: init and telinit can reveal root pass on return from runlevel 1
Package: sysvinit
Version: 2.86.ds1-36
Severity: serious
Tags: security

Hi,

It seems that, upon returning from runlevel 1, init is failing to kill the recovery console, which then tries to run the user's password as a command when they try to log in again. /sbin/init and /sbin/telinit appear to give identical results. An earlier version of sysvinit (2.86.ds1-15) doesn not appear to be affected by this bug.

To reproduce:

1. log in as root at a local console.

2. run `init 1' to enter that runlevel.

3. enter root password (for maintenance).

4. run `init 2' to return to the original runlevel.

5. you should see a login: prompt. attempt to log in.

On my box, I got `bash: mypassword: command not found'. It's very embarrasing to see your root pass echoed to a terminal. 

Cheers, 
L

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)

Versions of packages sysvinit depends on:
ii  initscripts                  2.86.ds1-36 Scripts for initializing and shutt
ii  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries
ii  libselinux1                  1.32-3      SELinux shared libraries
ii  libsepol1                    1.14-1      Security Enhanced Linux policy lib
ii  sysv-rc                      2.86.ds1-36 System-V-like runlevel change mech
ii  sysvinit-utils               2.86.ds1-36 System-V-like utilities

sysvinit recommends no packages.

-- no debconf information