root has access to console without password by default

Archived topics about LMDE 1
Forum rules
apsvett
Level 1
Level 1
Posts: 3
Joined: Wed Feb 27, 2013 5:11 pm

root has access to console without password by default

Postby apsvett » Thu Feb 28, 2013 3:14 am

Hi,

not sure if this topic landed in the right area.. but here goes,

I downloaded the LMDE 201303rc from http://ftp.df.lth.se/pub/linuxmint/test ... bit-rc.iso
via the download section form linuxmint.com


there is imho a big issue/bug/feature which shouldnt be..

I discovered after installing this release that you can login without using password on root (since by default root is "disabled" by having no password) by switching to another console (eg: ctrl-alt-F1) and just type root then press enter and you are in..
While this require local physical access this is still a HUGE! security problem! anyone with access to the computer can get root access without any problem whatsoever.

I dont know if something went wrong with my installation that made this possible, even though I doubt it. I would be happy if anyone else has noticed this issue.

This only affects system where you have not set a root password manually by doing eg: sudo passwd

so if you are concerned about this, there are 2 ways to handle this.

1,)
(this is what I recommend you do.. no user with blank password should ever have access to your system anyway)
edit your /etc/pam.d/common-auth and find this line:
auth [success=1 default=ignore] pam_unix.so nullok_secure

and either comment out 'nullok_secure' like this
auth [success=1 default=ignore] pam_unix.so #nullok_secure

or simply erase 'nullok_secure'

2,)
set a password for the root account by eg: doing sudo passwd

I, tried to find any information about this on the foru, and through google but failed.. so either I suck at finding information or this is a new 1..

/ronny
Last edited by apsvett on Thu Feb 28, 2013 3:58 am, edited 1 time in total.

User avatar
caf4926
Level 7
Level 7
Posts: 1848
Joined: Mon Mar 22, 2010 3:21 pm
Location: UK Lake District

Re: root has access to console without password by default

Postby caf4926 » Thu Feb 28, 2013 3:17 am

Are you meaning in the installed system or the Live session?
Image
Mint 18

apsvett
Level 1
Level 1
Posts: 3
Joined: Wed Feb 27, 2013 5:11 pm

Re: root has access to console without password by default

Postby apsvett » Thu Feb 28, 2013 3:23 am

yes in the installed system, not the livecd..

caf4926 wrote:Are you meaning in the installed system or the Live session?

User avatar
caf4926
Level 7
Level 7
Posts: 1848
Joined: Mon Mar 22, 2010 3:21 pm
Location: UK Lake District

Re: root has access to console without password by default

Postby caf4926 » Thu Feb 28, 2013 3:44 am

And do you mean

Code: Select all

su -
And no password is requested?
Image
Mint 18

apsvett
Level 1
Level 1
Posts: 3
Joined: Wed Feb 27, 2013 5:11 pm

Re: root has access to console without password by default

Postby apsvett » Thu Feb 28, 2013 3:49 am

sorry maybe I didnt explain god enought.. I mean

u do CTRL-ALT-F1 (or any other F(x) console)

and this also mean it dosnt matter if anyone are logged in and locked the session or newly started system.

caf4926 wrote:And do you mean

Code: Select all

su -
And no password is requested?


Return to “Archive”

Who is online

Users browsing this forum: No registered users and 0 guests