Bug 57303 - getting into root w/o password
Summary: getting into root w/o password
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: lilo
Version: 7.2
Hardware: i686
OS: Linux
high
medium
Target Milestone: ---
Assignee: Doug Ledford
QA Contact: Brock Organ
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-12-09 13:35 UTC by james Tate
Modified: 2007-03-27 03:50 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2001-12-09 13:35:23 UTC


Attachments (Terms of Use)

Description james Tate 2001-12-09 13:35:19 UTC
Description of Problem: I can login on Redhat 7.1 or 7.2 to root without
using password.


Version-Release number of selected component (if applicable):RH7.1, 7.2


How Reproducible:


Steps to Reproduce:
1. At dual boot window, hit ctrl x
2. At Boot: type in ""Linux single"
3. sh-2.04# su 
4. and to: [root@localhost /]  " without having to use my root password" .


Actual Results:


Expected Results:


Additional Information:
Surely this isn't a normal ?

Comment 1 Doug Ledford 2001-12-10 04:27:01 UTC
This is, in fact, the expected behaviour.  In fact, you don't even have to do
the su step above, at the first prompt you were already root.  If you want to
protect your machine from this then you have to put a password on lilo to keep
people from booting the machine into single user mode.  The reason that the
default setup leaves this open is because a person can't do this without having
physical access to the machine during the boot process, and if they have
physical access to the machine then all the rest of your security measures are
moot.  So, instead of making like difficult for people that have physical access
to the machine, this is in fact a handy recovery tool when you have forgotten
your root password.  Using this exact technique, you can change the root
password to something new in those situations when you otherwise couldn't get
into the machine with root priveledges.


Note You need to log in before you can comment on or make changes to this bug.