On Tue, 24 Feb 2009 22:12:52 -0800 Steve Langasek wrote:
> > since there is no root password set up during installation, a local
> > attacker can simply boot into the root account (without being prompted
> > for a password) via single user mode ("single" kernel option).
>
> Have you tested that this is actually the case?
yes.
> "no password" != "empty password".
right, i certainly appreciate that there is a huge difference. i'm not
entirely sure what the installer is doing (i assume that it generates a
random password since "su" itself still requires a password), but the
easiest way i could think to describe the problem was by the term
no-root. if there is better terminology that i can use, please let me
know.
> Booting in single user mode should not
> allow you to bypass the password prompt, and if it does, that's a bug in the
> sulogin program.
this is exactly what happens. there is no password prompt for single
user mode.
it may indeed be more of an issue related to sulogin than the installer,
but the (non-default) no-root feature in the expert installer exposes
the problem. the current behavior may have been a conscious choice
(probably made by someone on the ubuntu team) to allow users admin
their systems even though they never set up a root password.
> > [1] discusses the details of the method for password recovery, but the
> > same can be used for malicious purposes, of course.
>
> > [1] http://linuxwave.blogspot.com/2008/09/ubuntu-forgotten-password.html
>
> This link explicitly shows overriding the init value in the bootloader.
> That doesn't appear to have anything to do with vulnerabilities with how the
> root account is set up.
regardless of what the article says, the "init=/bin/bash" option isn't
actually necessary. all you need is "single", and a boot entry for
that is automatically set up by the installer by default.
mike
--
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
