Bug 681119

Summary: A big security problem in /etc/init/rcS-sulogin.conf
Product: [Fedora] Fedora Reporter: homerxing <homer.xing>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: homer.xing, iarlyy, jonathan, notting, plautrba, rvokal
Target Milestone: ---Keywords: Security, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-01 18:07:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description homerxing 2011-03-01 07:01:14 UTC 
Description of problem:
When I enter single user mode from GRUB, I can log in to Fedora 14 without being asked any password. Then I can change the root password. It is a big security problem.

Version-Release number of selected component (if applicable):
Fedora 14. initscripts is of the latest version.

How reproducible:
It is easy to reproduce.

Steps to Reproduce:
1. Power on the computer. 
2. Press Space at the GRUB window. 
3. Press "e" key at the "Fedora 14" item. 
4. Add "single" at the end of line. 
5. Press "b" key to boot the computer. 
6. Then a root shell is got.
  
Actual results:
A root shell is got.

Expected results:
The user should be asked a password.

Additional info:
The security problem is in /etc/init/rcS-sulogin.conf
The line "exec $SINGLE" is not good. It should be "exec /sbin/sulogin". The variable "SINGLE" can be deleted.
Ubuntu has already fixed the security problem. If Fedora does not fix it, some Fedora users may turn to use Ubuntu, since Ubuntu is more secure.
Comment 1 iarly selbir 2011-03-01 11:31:46 UTC 
You can set a password to protect your grub against a local attack.

is there anything we can do Bill?

Thanks for your report.


-- 
Fedora Bugzappers Team Member
Comment 2 Bill Nottingham 2011-03-01 18:07:29 UTC 
This has always been the case; single-user mode has never asked for a password by default.

If this bothers you, edit /etc/sysconfig/init (see the SINGLE entry), or add a bootloader passwod.
Comment 3 homerxing 2011-03-02 01:56:55 UTC 
It is Red Hat company's responsibility to ask for a password for single-user mode, because many Fedora users do not know how to fix this security problem at all.
Comment 4 Bill Nottingham 2011-03-02 18:12:18 UTC 
... This has been the documented default since well before Fedora has existed, to the point where it's expected.

Moreover, changing this doesn't help at all without additional steps (bootloader password, securing physical access, and so on.)