Bug 20533 - root's password doesn't unlock
Summary: root's password doesn't unlock
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: vlock   
(Show other bugs)
Version: 7.0
Hardware: i386 Linux
Target Milestone: ---
Assignee: Michael K. Johnson
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-11-08 19:13 UTC by Trond Eivind Glomsrxd
Modified: 2008-05-01 15:37 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-03-30 02:28:30 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Trond Eivind Glomsrxd 2000-11-08 19:13:25 UTC
When locking a tty with "vlock -a", if the user's password isn't correct
you'll be asked for root's password. However, this will always be rejected,
so root can't unlock - or switch to other consoles, making this an
effective DOS.

Comment 1 Andrew Bartlett 2000-11-11 07:08:35 UTC
vlock is not set-uid root, and as such cannot do anything the user couldn't do
already.  Unfortunetly this also includes validating the root password (in most
circumstances).  (Users can validate thier own password, but only by using a
small helper app invoked by PAM).

BTW, vlock -a also was the subject of an security advisory
(http://lwn.net/2000/1109/a/sec-vlock.php3), as -a allowed any user to bypass
the password (ouch...).

Comment 2 Mark Doliner 2001-03-30 02:28:27 UTC
Just as a tiny note, entering the user's password when prompted for root's
password will resume the user session.  It seems like if you're not going to
allow root to log in, you should at least change the prompt to "user's
Password:" rather than "root's Password:"

Comment 3 Michael K. Johnson 2002-01-18 17:54:33 UTC
Software: that's the design behaviour; it's not giving you a new shell.
abartlett: you are right, there's no additional DOS beyond what you can
do anyway.

Note You need to log in before you can comment on or make changes to this bug.