Ubuntu

[jaunty] low graphics lets you get root shell with no authentication

Bug #310040 reported by Dave Gilbert on 2008-12-20

This bug report is a duplicate of: Bug #310126: [failsafeXinit] launches gnome-terminal or gedit as root without a password. Edit Remove

256

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu	New	Undecided	Unassigned

Bug Description

Hi,
At boot I just got an error about ubuntu only being able to start in low graphics mode, it gives me an option to troubleshoot but also gives me an option to start a terminal - it does this with no form of authentication - that doesn't sound safe (especially if there was a way to screw up the X startup via say plugging in a weird monitor).

(This is on a prerelease Jaunty updated today 20th December 2008 - it's failing to get full graphics because it's in a virtualbox and it doesn't seem to have lost the virtualbox driver on an update).

(Bugs 178718 and 190370 both seem to have similar stories but from ages ago that was fixed).

Dave

Revision history for this message

Dominik Stadler (dominik-stadler) wrote on 2008-12-20:

#1

Not sure about your setup, but in general as long as you don't encrypt your harddisk, anyone gaining physical access to your machine will usually be able to boot with a USB stick or a Live CD and through this access all the data on the disk anyway...

Revision history for this message

Dave Gilbert (ubuntu-treblig) wrote on 2008-12-20:

#2

Not if you've put a password on the bios settings, made the hard drive first boot and don't let anyone edit the grub boot entries.

Revision history for this message

shawnlandden (shawnlandden) wrote on 2008-12-22:

#3

also this would allow someone to launch a second X shell even if a current one is up, (ie gdmflexserver -l) as a normal user and perhaps break into a root shell

Revision history for this message

Dave Gilbert (ubuntu-treblig) wrote on 2008-12-25:

#4

OK, so as of last couple of days the terminals have been disabled to stop this - but a standard text gnome text editor is used to edit and review logs and config files - and you can write and read any file with that; so it still doesn't really fix it.

Dave

Revision history for this message

Dave Gilbert (ubuntu-treblig) wrote on 2009-02-28:

#5

tested again today on latest Jaunty.
Still the same - the same editor currently lets you read and write any files - it also has an option of running a python console letting you do arbitrary things.
But there again i guess if you can edit the xorg.conf you can do a lot of things anyway?

Dave

Revision history for this message

Aaron Grattafiori (cogitate) wrote on 2009-03-30:

#6

I just noticed this on my Intrepid box after my nvidia module was crashing X (after some updates/changes)...

This really should be fixed... "Status Undecided" for 3 months is poor form Ubuntu.
If a normal user can find a way to get X to crash when starting, you can gain a root shell in seconds.

While physical access is always a difficult problem to defend against... you could fix this issue by simply adding a proper password prompt. This is essentially single-user-mode for X, which on the console asks for your root password for maintenance... Why should this X11 equivalent be any different?

/etc/gdm/failsafeXinit is also executable by other... why?

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #310126 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.