[Pkg-sysvinit-devel] Bug#517018: debian-installer: no-root option in expert installer exposes locally exploitable security flaw

[Jérémy Bobbio]

On Wed, Feb 25, 2009 at 12:02:58AM -0500, Michael Gilbert wrote:
> since there is no root password set up during installation, a local
> attacker can simply boot into the root account (without being prompted
> for a password) via single user mode ("single" kernel option).
> […]

With or without a root password, you can always add the "init=/bin/sh"
and achieve the same.

I don't see this as a bug at all.  The debian-installer can configure
GRUB passwords and hard disk encryption.  The later being a really
effective measure again the threat you describe.

Cheers,
-- 
Jérémy Bobbio                        .''`. 
lunar at debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-sysvinit-devel/attachments/20090225/5d7bac75/attachment.pgp