[Pkg-sysvinit-devel] Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw

[Philip Hands]

On Tue, Feb 24, 2009 at 11:56:14PM -0800, Steve Langasek wrote:
> reassign 517018 sysvinit-utils
> thanks
> 
> On Wed, Feb 25, 2009 at 01:43:05AM -0500, Michael Gilbert wrote:
> > On Tue, 24 Feb 2009 22:12:52 -0800 Steve Langasek wrote:
> > > > since there is no root password set up during installation, a local
> > > > attacker can simply boot into the root account (without being prompted
> > > > for a password) via single user mode ("single" kernel option).
> 
> > > Have you tested that this is actually the case?
> 
> > yes.
> 
> Ok; reassigning to sysvinit-utils.
> 
> > i'm not entirely sure what the installer is doing (i assume that it
> > generates a random password since "su" itself still requires a password),
> > but the easiest way i could think to describe the problem was by the term
> > no-root.  if there is better terminology that i can use, please let me
> > know.
> 
> What this is supposed to do is configure the root account without a valid
> password.  You can verify this is the case by checking whether root's
> password field in /etc/shadow is set to '*' or '!'.
> 
> Looking at sulogin's code, it treats this as an invalid password (which is
> true), and as a result bypasses the password check entirely (which is
> questionable).

It might make sense to have some way of checking if the boot-loader has
been locked down to prevent people specifying an alternative init, and
if it has, refuse to allow root access here as well, but in that case
how is one expected to recover from a failed fsck?

Cheers, Phil.