plymouth initramfs-hook breaks SSH cryptroot unlocking via dropbear

Bug #733268 reported by Matthias Andree on 2011-03-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
plymouth (Ubuntu)

Bug Description

Binary package hint: plymouth

Plymouth's initramfs-hook creates a /etc/passwd line for root, in order to remedy - however, it sets an invalid shell, namely /bin/bash. This makes it impossible to log into the initramfs's dropbear as root: dropbear refuses the login due to an invalid shell. This can cause users to get locked out of their machines if only installing plymouth and suffering from a power outage.

In cryptroot setups where dropbear is installed, the dropbear hook has previously created an /etc/passwd line for root that sets the proper /bin/sh shell.

Please fix plymouth to either set a valid shell, or not to stomp over existing ${DESTDIR}/etc/passwd configurations ASAP.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: plymouth 0.8.2-2ubuntu5.1 [modified: usr/share/initramfs-tools/hooks/plymouth]
ProcVersionSignature: Ubuntu 2.6.35-27.48-generic
Uname: Linux 2.6.35-27-generic x86_64
NonfreeKernelModules: fglrx
Architecture: amd64
Date: Fri Mar 11 14:37:48 2011
DefaultPlymouth: /lib/plymouth/themes/ubuntu-logo/ubuntu-logo.plymouth
MachineType: System manufacturer System Product Name
ProcCmdLine: root=/dev/mapper/vgcrypt0-root ro ip= vga=794 quiet splash
 PATH=(custom, no user)
SourcePackage: plymouth
TextPlymouth: /lib/plymouth/themes/ubuntu-text/ubuntu-text.plymouth

description: updated

Note that the "modified" file in the package contains the fix (see attached patch) and has been successfully tested.

description: updated
visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no

It would seem that installing plymouth breaks the system and prevents remote logins (denial of service) even to admins, possibly incurring travel necessities to a colocation center hundreds of km away...
I had discussed this with fellow admins before flagging it as security.
Matthias Andree

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers