763416 – (GLUSTER-1684) Gaining access to the shell/root with no password is trivial

Bug 763416 (GLUSTER-1684) - Gaining access to the shell/root with no password is trivial

Summary: Gaining access to the shell/root with no password is trivial

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	GLUSTER-1684
Product:	GlusterSP
Classification:	Retired
Component:	core
Sub Component:
Version:	3.0.5
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	3.1
Assignee:	Balamurugan Arumugam
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-23 14:11 UTC by Kevin Brooks
Modified:	2010-11-29 10:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Kevin Brooks 2010-09-23 12:03:54 UTC

It seems that su does ask you to authenticate, although I'm positive I've done this without having it asking (but I may have authenticated and been within the 5 minute sudo grace period), using your gluster UID password to gain root access.

So, it appears root access isn't as easy as I thought, but server access without authentication as the gluster UID is still a serious issue.

Comment 1 Kevin Brooks 2010-09-23 14:11:40 UTC

Anyone with console access can easily gain root access. By pressing F11 Firefox is minimized and the user can start an xterm.  Steps to reproduce:

At the login screen:

1. Press F11 and minimize firefox
2. Right click and start the PCManFM file manager
3. Browse to any file and use "Open with"
4. Select xterm from the list of "All Applications"
5. sudu su gets you root access with no password

Note You need to log in before you can comment on or make changes to this bug.