Ubuntu
sash package

sash creates 'sashroot' account

Bug #234434 reported by Steven Black
262
Affects Status Importance Assigned to Milestone
sash (Debian)
Fix Released
Unknown
sash (Ubuntu)
Fix Released
Undecided
JC Hulce

Bug Description

Binary package hint: friendly-recovery

When you install sash it clones your root account to create a 'sashroot' account.

This is useless with Ubuntu, as Ubuntu has root's account locked out. This means sash is cloning a locked out acount, which does no one any good.

Additionally, on systems with root account passwords, this is a security concern. Root account passwords are serious business, and they regularly should be changed. By cloning the password, you are effectively by-passing the normal processes in place in an institution to regulate the root password.

As an example:
Company A has a system administrator, Evil-Bill. Now, Evil-Bill knows the institution will change the root passwords on all the systems when he leaves. He also knows that packages are not strictly watched. (How many places actually strictly monitor packages and the user accounts they each create?) Before he leaves, he installs 'sash'. They change all the root accounts, but they miss his backdoor account 'sashroot'. A few weeks after he has left, he logs in and performs his evil.

Note that this security concern occurs on Ubuntu systems in cases where the administrator thought that creating a password for the root user increased security of single-user mode, or in cases where administrative policy at an institution requires setting/changing the root password on a regular basis.

Another solution to the problem addressed by creating the 'sashroot' account would be to use standard package logic to ask the user if their root/single-user sessions should use a potentially more reliable staticly compiled shell. Then all packages providing static shells should offer alternatives. A name such as /bin/static-sh could be used as the common alternative name. Then with the root account set to /bin/static-sh, things should just work. (You could go as far as making /bin/bash a super-low recommendation for /bin/static-sh, so that if things didn't get cleared up properly when all the static shells were removed, the root account would still be accessable.)

Revision history for this message
Steven Black (blacks-indiana) wrote :

Correcting the package this affects.

Revision history for this message
Steven Black (blacks-indiana) wrote :

I wanted to add that when sash is purged, it does not remove the sashroot account. -- However the shell gets changed to bash.

This means that if packages are being monitored by regular daily reports pulled from a dpkg -l list, you can get around this showing up in logs by installing sash and immediately purging sash.

Revision history for this message
Christian Wolf (christianwolf) wrote :

Even worse:

harden-environment has sash as dependency.

This is not good.

Bug Watch Updater (bug-watch-updater)
Changed in sash:
status: Unknown → Fix Released
Kees Cook (kees)
Changed in sash:
status: New → Confirmed
Revision history for this message
JC Hulce (soaringsky) wrote :

The fixed version appears to have been synced from Debian, so I am closing this bug.

Changed in sash (Ubuntu):
assignee: nobody → JC Hulce (soaringsky)
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.