Backing up from final installation dialog results in blank root password

Bug #48350 reported by Iwan on 2006-06-04
258
Affects Status Importance Assigned to Milestone
shadow (Ubuntu)
High
Colin Watson
user-setup (Ubuntu)
High
Colin Watson

Bug Description

Binary package hint: passwd

goto console 1, alt f1, login as root, just leave password blank when prompted, voila, local root

Iwan (iwan-pieterse) wrote :

it was an alternate normal install on amd64

Matt Zimmerman (mdz) wrote :

How did you respond to the root password questions when installing?

Matt Zimmerman (mdz) on 2006-06-05
Changed in shadow:
status: Unconfirmed → Needs Info

i was only prompted for normal user passwords, ive asked seveas in
#ubuntu on freenode to confirm for me, havent heard from him yet, he
can be trusted.

On 6/5/06, Matt Zimmerman <email address hidden> wrote:
> How did you respond to the root password questions when installing?
>
> --
> local root exploit
> https://launchpad.net/bugs/48350
>

I just tested this on the Dapper release candidate (which happened to be what I had handy) and didn't experience this bug. I'm not aware of any relevant changes between RC and release.

Could you please attach /var/log/installer/syslog to this bug? Thanks.

On 6/5/06, Colin Watson <email address hidden> wrote:
> I just tested this on the Dapper release candidate (which happened to be
> what I had handy) and didn't experience this bug. I'm not aware of any
> relevant changes between RC and release.
>
> Could you please attach /var/log/installer/syslog to this bug? Thanks.
>
> --
> local root exploit
> https://launchpad.net/bugs/48350
>

Iwan, I'm afraid e-mail attachments don't work in this bug tracking system yet; you need to use the "Add Attachment" link on the bug's web page.

syslog from the install

This is a problem with user-setup; because its prebaseconfig script runs before prebaseconfig's final message and isn't idempotent, if you back up from the final message and then go forward again, it will break.

Changed in shadow:
status: Needs Info → Confirmed
Colin Watson (cjwatson) wrote :

Ironically, this is because we were being zealous in avoiding the information leak in the Breezy installer. Making sure that the password is cleared out of the cdebconf database when user-setup-apply runs means that if user-setup-apply is run again then it no longer has the information it needs to do things properly ...

Colin Watson (cjwatson) wrote :

Fixing this on upgrades would require an update to something like shadow (selected somewhat arbitrarily).

Changed in shadow:
status: Unconfirmed → Confirmed
Iwan (iwan-pieterse) wrote :

i looked @ syslog, didnt see anything interesting, how did you determine where the bug was? am wondering how you picked it out?

Iwan (iwan-pieterse) wrote :

i think the problem was when i setup raid, i have sda1 sdb1 as ext3 and mounted as root / and swap sda2 sdb2, i went back when the installer told me I forgot to specify a swap partition

Colin Watson (cjwatson) wrote :

I had a suspicion of what the bug might be, and confirmed it by looking at the log messages from prebaseconfig. Note how "prebaseconfig: info: Running /usr/lib/prebaseconfig.d/06user-setup" appears twice with an intervening backup.

No, you going back in the partitioner did not cause this bug.

Iwan (iwan-pieterse) wrote :

any person with a normal user account can ssh into my system and gain root, though most ppl dont install ssh, but does't this bug qualify as more than normal severity?

Colin Watson (cjwatson) wrote :

If you like, but I don't think the severity much matters; we'll be dealing with this ASAP after dapper-security opens regardless of the severity.

Colin Watson (cjwatson) wrote :

user-setup (1.1ubuntu4) dapper-security; urgency=low

  * Refuse to apply an empty root password, which can happen if
    user-setup-apply is run twice due to backing up from prebaseconfig's
    final message (closes: Malone #48350).

 -- Colin Watson <email address hidden> Mon, 10 Jul 2006 17:43:34 +0100

I've also included this change in edgy.

Changed in user-setup:
assignee: nobody → kamion
status: Confirmed → Fix Committed
Colin Watson (cjwatson) wrote :

shadow (1:4.0.13-7ubuntu3.2) dapper-security; urgency=low

  * Tidy up after Malone bug #48350, which left an empty root password if
    you backed up from the installer's final message, by locking the root
    password if this condition is detected. Unfortunately I don't know of a
    reliable way to tell whether this situation arose due to the installer
    bug or deliberately, so the postinst is verbose and we make sure only to
    make this change once.

 -- Colin Watson <email address hidden> Tue, 11 Jul 2006 09:44:49 +0100

I've also included this change in edgy.

A USN will be issued shortly.

Changed in shadow:
assignee: nobody → kamion
status: Confirmed → Fix Committed
importance: Medium → High
Martin Pitt (pitti) wrote :

Dapper fixed in http://www.ubuntu.com/usn/usn-316-1. Edgy was fixed yesterday, closing.

I made the bug public since the USN refers to it and it's now fixed.

Changed in shadow:
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

I leave the user-setup task open; USN-316-1 updated the packages in the archive, but this should be closed when we released Dapper point release images.

Martin Pitt (pitti) wrote :

Dapper point release was published ages ago, closing.

Changed in user-setup:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers