Bug 5265 - becoming root without knowing root password
becoming root without knowing root password
Product: Red Hat Linux
Classification: Retired
Component: lilo (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: David Lawrence
: Security
: 5287 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 1999-09-21 05:26 EDT by rquast
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-09-21 10:51:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description rquast 1999-09-21 05:26:56 EDT
RedHat Linux 6.0 allows to boot in single user mode (and
become root) without asking for the root password.
Comment 1 Bill Nottingham 1999-09-21 10:51:59 EDT
and you can do the same thing with linux init=/bin/bash.
Therefore, we won't change the 'linux single' behavior.
Comment 2 Bill Nottingham 1999-09-21 18:10:59 EDT
*** Bug 5287 has been marked as a duplicate of this bug. ***

Are you aware that when the computer is sitting at the lilo:
prompt and you type 'linux 1', when it boots to single user,
you can use the passwd utility to change the root password
without knowing the root password!

I don't know if this is a bug or if this is supposed to be
this way.  It just seems like it is not real secure.
Comment 3 asosin 2000-03-16 13:26:59 EST
I don't understand why this is marked as resolved.  This is a major security
problem.  On the Server this may not be an issue, but in a desktop environment
if a user knows how to type :   linux init=/bin/bash
or some other command like that, this will allow them root or God access.
 Is there some way to prompt a user for root password every time they type
something in, but if they use the menu option "tab" then no password is required

Note You need to log in before you can comment on or make changes to this bug.