Bug 927922

Summary: root account accessible without password when administrator user is created but no root passwd set
Product: [Fedora] Fedora Reporter: Jan Stodola <jstodola>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 19CC: anaconda-maint-list, awilliam, g.kaviyarasu, jonathan, mkolman, petersen, robatino, satellitgo, sbueno, sstsalazar, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: anaconda-19.23-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-13 17:14:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 834088    
Attachments:
Description Flags
anaconda.log
none
anaconda.packaging.log
none
anaconda.program.log
none
anaconda.storage.log
none
passwd
none
syslog none

Description Jan Stodola 2013-03-26 14:08:17 UTC 
Description of problem:
root is able to login without providing a password if new user account is created during the installation and it is set as administrator of the system.

Version-Release number of selected component (if applicable):
F19-Alpha-TC2
anaconda-19.13

How reproducible:
always

Steps to Reproduce:
1. start installation
2. proceed through partitioning and package set selection (tested with minimal package set)
3. create new user - make him administrator of the system and enter password for this account
4. do NOT set any password for root
5. finish the installation and reboot to installed system
6. try to login as root
  
Actual results:
root is able to login without entering password

Expected results:
root is not able to login since no password was specified during the installation

Additional info:
reproduced during both text and graphical installation
Comment 1 Jan Stodola 2013-03-26 14:11:38 UTC 
Created attachment 716532 [details]
anaconda.log
Comment 2 Jan Stodola 2013-03-26 14:11:47 UTC 
Created attachment 716533 [details]
anaconda.packaging.log
Comment 3 Jan Stodola 2013-03-26 14:11:54 UTC 
Created attachment 716534 [details]
anaconda.program.log
Comment 4 Jan Stodola 2013-03-26 14:11:58 UTC 
Created attachment 716535 [details]
anaconda.storage.log
Comment 5 Jan Stodola 2013-03-26 14:12:02 UTC 
Created attachment 716536 [details]
passwd
Comment 6 Jan Stodola 2013-03-26 14:12:06 UTC 
Created attachment 716537 [details]
syslog
Comment 7 Jens Petersen 2013-04-02 09:28:40 UTC 
I just reproduced this too with TC3.

Proposing as an Alpha blocker since I think we really should not ship
even Alpha with this kind of vulnerability present.
Comment 8 Jens Petersen 2013-04-03 00:40:15 UTC 
Root login should be disabled if no root passwd is setup by anaconda.
Comment 9 Adam Williamson 2013-04-03 17:11:38 UTC 
Discussed at 2013-04-03 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-04-03/f19alpha-blocker-review-4.2013-04-03-16.01.log.txt . Rejected as a blocker: we just don't see this as serious enough. Alpha is not meant to be deployed in any kind of production scenario. You can't log in via ssh to a password-less account, hence this isn't (obviously) remotely exploitable. You still have to manually decide not to enter a root password and then create an admin user to cause this. It's a bug, yeah, but it doesn't hit any criteria and no-one seemed particularly keen to make it a blocker.

Accepted as a freeze exception bug, though: it's always nice to fix security issues if the fix isn't too invasive.
Comment 10 Jens Petersen 2013-04-04 03:33:10 UTC 
(Still true for TC4)
Comment 11 Sander Salazar 2013-04-14 19:05:51 UTC 
Reproduced in TC6.
Comment 12 Fedora Update System 2013-04-30 12:22:25 UTC 
anaconda-19.23-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/anaconda-19.23-1.fc19
Comment 13 Adam Williamson 2013-04-30 18:45:45 UTC 
Re-proposing as Beta FE, just in case, since it was Alpha FE (but we should get this fixed before freeze hits anyway).
Comment 14 Fedora Update System 2013-04-30 20:01:37 UTC 
Package anaconda-19.23-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-19.23-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7049/anaconda-19.23-1.fc19
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2013-05-03 21:05:32 UTC 
anaconda-19.24-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/anaconda-19.24-1.fc19
Comment 16 Jan Stodola 2013-05-06 12:08:21 UTC 
Retested with F19-Beta-TC3 (anaconda-19.24-1). If no root password is entered during installation, root is not able to login later on installed system.

Moving to VERIFIED.
Comment 17 Adam Williamson 2013-05-13 17:14:01 UTC 
19.25 went stable; closing.