root has access to console without password by default
Posted: Thu Feb 28, 2013 3:14 am
Hi,
not sure if this topic landed in the right area.. but here goes,
I downloaded the LMDE 201303rc from http://ftp.df.lth.se/pub/linuxmint/test ... bit-rc.iso
via the download section form linuxmint.com
there is imho a big issue/bug/feature which shouldnt be..
I discovered after installing this release that you can login without using password on root (since by default root is "disabled" by having no password) by switching to another console (eg: ctrl-alt-F1) and just type root then press enter and you are in..
While this require local physical access this is still a HUGE! security problem! anyone with access to the computer can get root access without any problem whatsoever.
I dont know if something went wrong with my installation that made this possible, even though I doubt it. I would be happy if anyone else has noticed this issue.
This only affects system where you have not set a root password manually by doing eg: sudo passwd
so if you are concerned about this, there are 2 ways to handle this.
1,)
(this is what I recommend you do.. no user with blank password should ever have access to your system anyway)
edit your /etc/pam.d/common-auth and find this line:
auth [success=1 default=ignore] pam_unix.so nullok_secure
and either comment out 'nullok_secure' like this
auth [success=1 default=ignore] pam_unix.so #nullok_secure
or simply erase 'nullok_secure'
2,)
set a password for the root account by eg: doing sudo passwd
I, tried to find any information about this on the foru, and through google but failed.. so either I suck at finding information or this is a new 1..
/ronny
not sure if this topic landed in the right area.. but here goes,
I downloaded the LMDE 201303rc from http://ftp.df.lth.se/pub/linuxmint/test ... bit-rc.iso
via the download section form linuxmint.com
there is imho a big issue/bug/feature which shouldnt be..
I discovered after installing this release that you can login without using password on root (since by default root is "disabled" by having no password) by switching to another console (eg: ctrl-alt-F1) and just type root then press enter and you are in..
While this require local physical access this is still a HUGE! security problem! anyone with access to the computer can get root access without any problem whatsoever.
I dont know if something went wrong with my installation that made this possible, even though I doubt it. I would be happy if anyone else has noticed this issue.
This only affects system where you have not set a root password manually by doing eg: sudo passwd
so if you are concerned about this, there are 2 ways to handle this.
1,)
(this is what I recommend you do.. no user with blank password should ever have access to your system anyway)
edit your /etc/pam.d/common-auth and find this line:
auth [success=1 default=ignore] pam_unix.so nullok_secure
and either comment out 'nullok_secure' like this
auth [success=1 default=ignore] pam_unix.so #nullok_secure
or simply erase 'nullok_secure'
2,)
set a password for the root account by eg: doing sudo passwd
I, tried to find any information about this on the foru, and through google but failed.. so either I suck at finding information or this is a new 1..
/ronny