Red Hat Bugzilla – Bug 57303
getting into root w/o password
Last modified: 2007-03-26 23:50:16 EDT
Description of Problem: I can login on Redhat 7.1 or 7.2 to root without
Version-Release number of selected component (if applicable):RH7.1, 7.2
Steps to Reproduce:
1. At dual boot window, hit ctrl x
2. At Boot: type in ""Linux single"
3. sh-2.04# su
4. and to: [root@localhost /] " without having to use my root password" .
Surely this isn't a normal ?
This is, in fact, the expected behaviour. In fact, you don't even have to do
the su step above, at the first prompt you were already root. If you want to
protect your machine from this then you have to put a password on lilo to keep
people from booting the machine into single user mode. The reason that the
default setup leaves this open is because a person can't do this without having
physical access to the machine during the boot process, and if they have
physical access to the machine then all the rest of your security measures are
moot. So, instead of making like difficult for people that have physical access
to the machine, this is in fact a handy recovery tool when you have forgotten
your root password. Using this exact technique, you can change the root
password to something new in those situations when you otherwise couldn't get
into the machine with root priveledges.