Bug#406587: init and telinit can reveal root pass on return from runlevel 1
Hi, Grant Thomas, le Thu 11 Jan 2007 21:17:40 -0600, a écrit : I have the same problem as Lewis Stoddart above, with a small difference. My machine gives the bash error when the username is supplied. I do not receive the password in cleartext. The problem does not appear when the maintenance mode is skipped with crtl+D. What seems to happen is that init doesn't kill the maintenance shell: I can see it running on tty1, concurrently with getty, thus things are mixed: characters sometimes to go the maintenance shell, sometimes to getty. Samuel
Bug#406587: init and telinit can reveal root pass on return from runlevel 1
Hi, Samuel Thibault, le Fri 12 Jan 2007 10:44:04 +0100, a écrit : Grant Thomas, le Thu 11 Jan 2007 21:17:40 -0600, a écrit : I have the same problem as Lewis Stoddart above, with a small difference. My machine gives the bash error when the username is supplied. I do not receive the password in cleartext. The problem does not appear when the maintenance mode is skipped with crtl+D. What seems to happen is that init doesn't kill the maintenance shell: I can see it running on tty1, concurrently with getty, thus things are mixed: characters sometimes to go the maintenance shell, sometimes to getty. Oops, init uses groups for sending TERM/KILL signals, so it does here hurt to always set a session in sulogin. Here is a much safer version of 66_init_emerg_tty.dpatch Samuel #! /bin/sh /usr/share/dpatch/dpatch-run ## 66_init_ermg_tty.dpatch by Samuel Thibault ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Fix emergency mode's tty, making sure ^C and ^Z work when ## DP: booting with 'emergency' kernel option. Closes bug #374543. @DPATCH@ Index: sysvinit/src/init.c === --- sysvinit/src/init.c (revisjon 808) +++ sysvinit/src/init.c (arbeidskopi) @@ -89,7 +89,7 @@ CHILD *newFamily = NULL; /* The list after inittab re-read */ CHILD ch_emerg = { /* Emergency shell */ - 0, 0, 0, 0, 0, + WAITING, 0, 0, 0, 0, ~~, S, 3, Index: sysvinit/src/sulogin.c --- sysvinit/src/sulogin.c (revisjon 808) +++ sysvinit/src/sulogin.c (arbeidskopi) @@ -23,6 +23,7 @@ #include pwd.h #include shadow.h #include termios.h +#include errno.h #include sys/ioctl.h #if defined(__GLIBC__) # include crypt.h @@ -427,7 +428,12 @@ } else close(fd); } - } + } else if (getpid() == 1) { + /* We are init. We hence need to set a session anyway */ + setsid(); + if (ioctl(0, TIOCSCTTY, (char *)1)) + perror(ioctl(TIOCSCTTY)); + } /* * Get the root password.
Bug#406587: init and telinit can reveal root pass on return from runlevel 1
Subject: init and telinit can reveal root pass on return from runlevel 1 Package: sysvinit Version: 2.86.ds1-36 Severity: serious Tags: security Hi, It seems that, upon returning from runlevel 1, init is failing to kill the recovery console, which then tries to run the user's password as a command when they try to log in again. /sbin/init and /sbin/telinit appear to give identical results. An earlier version of sysvinit (2.86.ds1-15) doesn not appear to be affected by this bug. To reproduce: 1. log in as root at a local console. 2. run `init 1' to enter that runlevel. 3. enter root password (for maintenance). 4. run `init 2' to return to the original runlevel. 5. you should see a login: prompt. attempt to log in. On my box, I got `bash: mypassword: command not found'. It's very embarrasing to see your root pass echoed to a terminal. Cheers, L -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-686 Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Versions of packages sysvinit depends on: ii initscripts 2.86.ds1-36 Scripts for initializing and shutt ii libc62.3.6.ds1-8 GNU C Library: Shared libraries ii libselinux1 1.32-3 SELinux shared libraries ii libsepol11.14-1 Security Enhanced Linux policy lib ii sysv-rc 2.86.ds1-36 System-V-like runlevel change mech ii sysvinit-utils 2.86.ds1-36 System-V-like utilities sysvinit recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#406587: init and telinit can reveal root pass on return from runlevel 1
I have the same problem as Lewis Stoddart above, with a small difference. My machine gives the bash error when the username is supplied. I do not receive the password in cleartext. The problem does not appear when the maintenance mode is skipped with crtl+D. -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-2-k7 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]