[Pkg-sysvinit-devel] Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw
Jérémy Bobbio
lunar at debian.org
Wed Feb 25 11:47:39 UTC 2009
On Wed, Feb 25, 2009 at 12:02:58AM -0500, Michael Gilbert wrote:
> since there is no root password set up during installation, a local
> attacker can simply boot into the root account (without being prompted
> for a password) via single user mode ("single" kernel option).
> […]
With or without a root password, you can always add the "init=/bin/sh"
and achieve the same.
I don't see this as a bug at all. The debian-installer can configure
GRUB passwords and hard disk encryption. The later being a really
effective measure again the threat you describe.
Cheers,
--
Jérémy Bobbio .''`.
lunar at debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-sysvinit-devel/attachments/20090225/5d7bac75/attachment.pgp
More information about the Pkg-sysvinit-devel
mailing list