Ubuntu
plymouth package

plymouth initramfs-hook breaks SSH cryptroot unlocking via dropbear

Bug #733268 reported by Matthias Andree
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
plymouth (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: plymouth

Plymouth's initramfs-hook creates a /etc/passwd line for root, in order to remedy https://bugs.launchpad.net/ubuntu/+source/plymouth/+bug/649917 - however, it sets an invalid shell, namely /bin/bash. This makes it impossible to log into the initramfs's dropbear as root: dropbear refuses the login due to an invalid shell. This can cause users to get locked out of their machines if only installing plymouth and suffering from a power outage.

In cryptroot setups where dropbear is installed, the dropbear hook has previously created an /etc/passwd line for root that sets the proper /bin/sh shell.

Please fix plymouth to either set a valid shell, or not to stomp over existing ${DESTDIR}/etc/passwd configurations ASAP.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: plymouth 0.8.2-2ubuntu5.1 [modified: usr/share/initramfs-tools/hooks/plymouth]
ProcVersionSignature: Ubuntu 2.6.35-27.48-generic 2.6.35.11
Uname: Linux 2.6.35-27-generic x86_64
NonfreeKernelModules: fglrx
Architecture: amd64
Date: Fri Mar 11 14:37:48 2011
DefaultPlymouth: /lib/plymouth/themes/ubuntu-logo/ubuntu-logo.plymouth
MachineType: System manufacturer System Product Name
ProcCmdLine: root=/dev/mapper/vgcrypt0-root ro ip=192.168.0.4::192.168.0.253::hostname:eth0:none vga=794 quiet splash
ProcEnviron:
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
ProcFB: 0 VESA VGA
SourcePackage: plymouth
TextPlymouth: /lib/plymouth/themes/ubuntu-text/ubuntu-text.plymouth

See original description
Revision history for this message
Matthias Andree (matthias-andree) wrote :
description: updated
Revision history for this message
Matthias Andree (matthias-andree) wrote :

Note that the "modified" file in the package contains the fix (see attached patch) and has been successfully tested.

description: updated
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
Revision history for this message
Matthias Andree (matthias-andree) wrote : AW: [Bug 733268] Re: plymouth initramfs-hook breaks SSH cryptroot unlocking via dropbear

It would seem that installing plymouth breaks the system and prevents remote logins (denial of service) even to admins, possibly incurring travel necessities to a colocation center hundreds of km away...
I had discussed this with fellow admins before flagging it as security.
--
Matthias Andree

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.