*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: friendly-recovery
When you install sash it clones your root account to create a 'sashroot'
account.
This is useless with Ubuntu, as Ubuntu has root's account locked out.
This means sash is cloning a locked out acount, which does no one any
good.
Additionally, on systems with root account passwords, this is a security
concern. Root account passwords are serious business, and they regularly
should be changed. By cloning the password, you are effectively by-
passing the normal processes in place in an institution to regulate the
root password.
As an example:
Company A has a system administrator, Evil-Bill. Now, Evil-Bill knows the
institution will change the root passwords on all the systems when he leaves.
He also knows that packages are not strictly watched. (How many places actually
strictly monitor packages and the user accounts they each create?) Before he
leaves, he installs 'sash'. They change all the root accounts, but they miss
his backdoor account 'sashroot'. A few weeks after he has left, he logs in and
performs his evil.
Note that this security concern occurs on Ubuntu systems in cases where
the administrator thought that creating a password for the root user
increased security of single-user mode, or in cases where administrative
policy at an institution requires setting/changing the root password on
a regular basis.
Another solution to the problem addressed by creating the 'sashroot' account
would be to use standard package logic to ask the user if their
root/single-user sessions should use a potentially more reliable staticly
compiled shell. Then all packages providing static shells should offer
alternatives. A name such as /bin/static-sh could be used as the common
alternative name. Then with the root account set to /bin/static-sh, things
should just work. (You could go as far as making /bin/bash a super-low
recommendation for /bin/static-sh, so that if things didn't get cleared up
properly when all the static shells were removed, the root account would still
be accessable.)
** Affects: sash (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
sash creates 'sashroot' account
https://bugs.launchpad.net/bugs/234434
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs