[Pkg-sysvinit-devel] Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw

Wouter Verhelst wouter at debian.org
Wed Feb 25 11:28:47 UTC 2009

On Wed, Feb 25, 2009 at 12:02:58AM -0500, Michael Gilbert wrote:
> package: debian-installer
> severity: important
> tags: security
> there is now an option in the expert mode of the debian-installer that
> allows the user to install their system without a root account
> (replacing it with sudo priviledges for the default user). this exposes
> a loophole that enables local attackers to easily obtain root access.

There are several ways in which a local attacker can get root access.
'init=/bin/bash'. boot with the 'emergency' option (which causes
sysvinit to do almost the same thing as 'init=/bin/bash'). Boot a
live-CD, chroot into the target system. Worst case, remove the disk from
the system, put it in a different machine, and chroot from there.

While it may be a bug, I don't think an additional way to do this
warrants this to be tagged 'security'. YMMV, of course.

<Lo-lan-do> Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22

More information about the Pkg-sysvinit-devel mailing list