Bug 763416 (GLUSTER-1684) - Gaining access to the shell/root with no password is trivial
Summary: Gaining access to the shell/root with no password is trivial
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: GLUSTER-1684
Product: GlusterSP
Classification: Retired
Component: core
Version: 3.0.5
Hardware: x86_64
OS: Linux
low
high
Target Milestone: 3.1
Assignee: Balamurugan Arumugam
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-23 14:11 UTC by Kevin Brooks
Modified: 2010-11-29 10:56 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:


Attachments (Terms of Use)

Description Kevin Brooks 2010-09-23 12:03:54 UTC
It seems that su does ask you to authenticate, although I'm positive I've done this without having it asking (but I may have authenticated and been within the 5 minute sudo grace period), using your gluster UID password to gain root access.

So, it appears root access isn't as easy as I thought, but server access without authentication as the gluster UID is still a serious issue.

Comment 1 Kevin Brooks 2010-09-23 14:11:40 UTC
Anyone with console access can easily gain root access. By pressing F11 Firefox is minimized and the user can start an xterm.  Steps to reproduce:

At the login screen:

1. Press F11 and minimize firefox
2. Right click and start the PCManFM file manager
3. Browse to any file and use "Open with"
4. Select xterm from the list of "All Applications"
5. sudu su gets you root access with no password


Note You need to log in before you can comment on or make changes to this bug.