Calamares will let you set up a user account with no password

Not sure if this is a bug or a feature as Linux in general will allow you to make an account with a blank password. Granted, for security reasons, it'd be really silly to so as the first user, but "stupid is as stupid does."

@eeickmeyer I mean, it's not that you're wrong, but the `passwd` tool refuses to let you assign a user account a blank password even if you execute it as root. I get the feeling this isn't exactly something that is normally expected. It's also unclear how XScreenSaver will behave with this - I should test it.

OK, this is actually pretty bad. XScreenSaver locks you out of the system if it locks the screen and your password is blank.

Turns out there's an option in Calamares that lets you choose whether to allow a blank password or not.

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
https://iso.qa.ubuntu.com/qatracker/reports/bugs/2016436

passwd -d lets you delete a user's password. Ubuntu will still let that user log in, passwordless.

The bug mentioned in comment 3 may be https://bugs.debian.org/478260

I am surprised that Calamares is not setting the password to blank the same way that passwd -d or usermod -p "" does. It looks to me like Calamares is hashing a blank password since there is content in /etc/shadow

The Calamares installer log shows that is running this when it creates my user "jeremy"
"usermod" "-p" <password> "jeremy"

If I blank the password myself after install, then xscreensaver unlocks the screensaver without even asking for a password.

This bug was fixed in the package calamares-settings-ubuntu - 1:23.04.12

---------------
calamares-settings-ubuntu (1:23.04.12) lunar; urgency=medium

  * Don't allow the first user to be created with a blank password in either
    Lubuntu or Ubuntu Studio. (LP: #2016436)

 -- Aaron Rainbolt <email address hidden> Sun, 16 Apr 2023 17:34:56 -0500

Attached is the debdiff for the security team to sponsor for upload to Jammy.

ACK on the debdiff, thanks!

I've uploaded the package for building into the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Please test it, and comment here. Once it has been tested, I will release it as a security update.

I guess Kinetic isn't needed because the ISO will never get a respin, is that accurate?

Thanks!

>I guess Kinetic isn't needed because the ISO will never get a respin, is that accurate?

That's absolutely correct.

Hi Marc, sorry about the delay.

Tested on latest Jammy daily images, added PPA and installed updated package. Works as expected in both Lubuntu and Ubuntu Studio.

I didn't put too much priority on this since it will only affect the next daily images for Jammy and hit end users once 22.04.3 is released.

This bug was fixed in the package calamares-settings-ubuntu - 1:22.04.4.3

---------------
calamares-settings-ubuntu (1:22.04.4.3) jammy-security; urgency=medium

  * Don't allow the first user to be created with a blank password in either
    Lubuntu or Ubuntu Studio. (LP: #2016436)

 -- Erich Eickmeyer <email address hidden> Mon, 17 Apr 2023 13:56:57 -0700

Of no real value, but I just tested for this on mantic.
I could not re-create with today's Lubuntu daily.

http://iso.qa.ubuntu.com/qatracker/milestones/446/builds/287003/testcases/1701/results