Bug#406587: init and telinit can reveal root pass on return from runlevel 1

2007-01-12 Thread Samuel Thibault 
Hi,

Grant Thomas, le Thu 11 Jan 2007 21:17:40 -0600, a écrit :
 I have the same problem as Lewis Stoddart above, with a small difference.
 
 My machine gives the bash error when the username is supplied.
 I do not receive the password in cleartext.
 
 The problem does not appear when the maintenance mode is skipped with 
 crtl+D.

What seems to happen is that init doesn't kill the maintenance shell: I
can see it running on tty1, concurrently with getty, thus things are
mixed: characters sometimes to go the maintenance shell, sometimes to
getty.

Samuel

Bug#406587: init and telinit can reveal root pass on return from runlevel 1

2007-01-12 Thread Samuel Thibault 
Hi,

Samuel Thibault, le Fri 12 Jan 2007 10:44:04 +0100, a écrit :
 Grant Thomas, le Thu 11 Jan 2007 21:17:40 -0600, a écrit :
  I have the same problem as Lewis Stoddart above, with a small difference.
  
  My machine gives the bash error when the username is supplied.
  I do not receive the password in cleartext.
  
  The problem does not appear when the maintenance mode is skipped with 
  crtl+D.
 
 What seems to happen is that init doesn't kill the maintenance shell: I
 can see it running on tty1, concurrently with getty, thus things are
 mixed: characters sometimes to go the maintenance shell, sometimes to
 getty.

Oops, init uses groups for sending TERM/KILL signals, so it does here
hurt to always set a session in sulogin. Here is a much safer version of
66_init_emerg_tty.dpatch

Samuel
#! /bin/sh /usr/share/dpatch/dpatch-run
## 66_init_ermg_tty.dpatch by Samuel Thibault
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix emergency mode's tty, making sure ^C and ^Z work when
## DP: booting with 'emergency' kernel option.  Closes bug #374543.

@DPATCH@
Index: sysvinit/src/init.c
===
--- sysvinit/src/init.c (revisjon 808)
+++ sysvinit/src/init.c (arbeidskopi)
@@ -89,7 +89,7 @@
 CHILD *newFamily = NULL;   /* The list after inittab re-read */
 
 CHILD ch_emerg = { /* Emergency shell */
-   0, 0, 0, 0, 0,
+   WAITING, 0, 0, 0, 0,
~~,
S,
3,
Index: sysvinit/src/sulogin.c
--- sysvinit/src/sulogin.c  (revisjon 808)
+++ sysvinit/src/sulogin.c  (arbeidskopi)
@@ -23,6 +23,7 @@
 #include pwd.h
 #include shadow.h
 #include termios.h
+#include errno.h
 #include sys/ioctl.h
 #if defined(__GLIBC__)
 #  include crypt.h
@@ -427,7 +428,12 @@
} else
close(fd);
}
-   }
+   } else if (getpid() == 1) {
+   /* We are init. We hence need to set a session anyway */
+   setsid();
+   if (ioctl(0, TIOCSCTTY, (char *)1))
+   perror(ioctl(TIOCSCTTY));
+   }
 
/*
 *  Get the root password.

Bug#406587: init and telinit can reveal root pass on return from runlevel 1

2007-01-11 Thread Lewis Stoddart 
Subject: init and telinit can reveal root pass on return from runlevel 1
Package: sysvinit
Version: 2.86.ds1-36
Severity: serious
Tags: security

Hi,

It seems that, upon returning from runlevel 1, init is failing to kill the 
recovery console, which then tries to run the user's password as a command when 
they try to log in again. /sbin/init and /sbin/telinit appear to give identical 
results. An earlier version of sysvinit (2.86.ds1-15) doesn not appear to be 
affected by this bug.

To reproduce:

1. log in as root at a local console.

2. run `init 1' to enter that runlevel.

3. enter root password (for maintenance).

4. run `init 2' to return to the original runlevel.

5. you should see a login: prompt. attempt to log in.

On my box, I got `bash: mypassword: command not found'. It's very embarrasing 
to see your root pass echoed to a terminal. 

Cheers, 
L

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)

Versions of packages sysvinit depends on:
ii  initscripts  2.86.ds1-36 Scripts for initializing and shutt
ii  libc62.3.6.ds1-8 GNU C Library: Shared libraries
ii  libselinux1  1.32-3  SELinux shared libraries
ii  libsepol11.14-1  Security Enhanced Linux policy lib
ii  sysv-rc  2.86.ds1-36 System-V-like runlevel change mech
ii  sysvinit-utils   2.86.ds1-36 System-V-like utilities

sysvinit recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#406587: init and telinit can reveal root pass on return from runlevel 1

2007-01-11 Thread Grant Thomas 

I have the same problem as Lewis Stoddart above, with a small difference.

My machine gives the bash error when the username is supplied.
I do not receive the password in cleartext.

The problem does not appear when the maintenance mode is skipped with 
crtl+D.



-- System Information:
Debian Release: 4.0
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]