root has access to console without password by default

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post please read this

root has access to console without password by default

Postby apsvett on Thu Feb 28, 2013 3:14 am

Hi,

not sure if this topic landed in the right area.. but here goes,

I downloaded the LMDE 201303rc from http://ftp.df.lth.se/pub/linuxmint/test ... bit-rc.iso
via the download section form linuxmint.com


there is imho a big issue/bug/feature which shouldnt be..

I discovered after installing this release that you can login without using password on root (since by default root is "disabled" by having no password) by switching to another console (eg: ctrl-alt-F1) and just type root then press enter and you are in..
While this require local physical access this is still a HUGE! security problem! anyone with access to the computer can get root access without any problem whatsoever.

I dont know if something went wrong with my installation that made this possible, even though I doubt it. I would be happy if anyone else has noticed this issue.

This only affects system where you have not set a root password manually by doing eg: sudo passwd

so if you are concerned about this, there are 2 ways to handle this.

1,)
(this is what I recommend you do.. no user with blank password should ever have access to your system anyway)
edit your /etc/pam.d/common-auth and find this line:
auth [success=1 default=ignore] pam_unix.so nullok_secure

and either comment out 'nullok_secure' like this
auth [success=1 default=ignore] pam_unix.so #nullok_secure

or simply erase 'nullok_secure'

2,)
set a password for the root account by eg: doing sudo passwd

I, tried to find any information about this on the foru, and through google but failed.. so either I suck at finding information or this is a new 1..

/ronny
Last edited by apsvett on Thu Feb 28, 2013 3:58 am, edited 1 time in total.
apsvett
Level 1
Level 1
 
Posts: 3
Joined: Wed Feb 27, 2013 5:11 pm

Linux Mint is funded by ads and donations.
 

Re: root has access to console without password by default

Postby caf4926 on Thu Feb 28, 2013 3:17 am

Are you meaning in the installed system or the Live session?
Image
Mint 16 Cinnamon_64
User avatar
caf4926
Level 7
Level 7
 
Posts: 1778
Joined: Mon Mar 22, 2010 3:21 pm
Location: UK Lake District

Re: root has access to console without password by default

Postby apsvett on Thu Feb 28, 2013 3:23 am

yes in the installed system, not the livecd..

caf4926 wrote:Are you meaning in the installed system or the Live session?
apsvett
Level 1
Level 1
 
Posts: 3
Joined: Wed Feb 27, 2013 5:11 pm

Re: root has access to console without password by default

Postby caf4926 on Thu Feb 28, 2013 3:44 am

And do you mean

Code: Select all
su -
And no password is requested?
Image
Mint 16 Cinnamon_64
User avatar
caf4926
Level 7
Level 7
 
Posts: 1778
Joined: Mon Mar 22, 2010 3:21 pm
Location: UK Lake District

Re: root has access to console without password by default

Postby apsvett on Thu Feb 28, 2013 3:49 am

sorry maybe I didnt explain god enought.. I mean

u do CTRL-ALT-F1 (or any other F(x) console)

and this also mean it dosnt matter if anyone are logged in and locked the session or newly started system.

caf4926 wrote:And do you mean

Code: Select all
su -
And no password is requested?
apsvett
Level 1
Level 1
 
Posts: 3
Joined: Wed Feb 27, 2013 5:11 pm


Return to Other Topics

Who is online

Users browsing this forum: No registered users and 0 guests