Bug 81106 - REDHAT LINUX 8.0 Login Security Breach!!!
Summary: REDHAT LINUX 8.0 Login Security Breach!!!
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: bash
Version: 8.0
Hardware: i586
OS: Linux
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2003-01-04 20:50 UTC by Paulo Santos
Modified: 2007-03-27 03:59 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-01-04 21:24:16 UTC

Attachments (Terms of Use)

Description Paulo Santos 2003-01-04 20:50:53 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
A few days ago... 3 or 4, i've found out that when i start my system on single
user mode, by passing the command "linux telinit 1" on lilo boot prompt, the
system, after the boot sequence, goes directly to the bash command line without
no required authentication of any user first.That way i gain full access to the
system, with full root privileges.I think it is a severe security breach,
because any user with malevolous intentions can gain full access to the system
and become it's owner.

I'm using Redhat 8.0 on an Intel celeron 266 Mhz (covington processor)
with lilo as a bootloader for a dualboot system.
I'm registered at RNH and my system is up to date!

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.i do ctrl+x at lilo boot screen to get to the lilo command line

2.then i type:
lilo: linux telinit 1


Actual Results:  3.After the boot process the system goes directly to the bash
command line with root previleges!!!

Expected Results:  i would expect the system to go to the login screen and wait
for a user to authenticate and log into the system after that

Additional info:
I've posted this bug to this componnent but i think it is a systemwide security
bug, as i could not find any related componnent more apropriate

Comment 1 Tim Waugh 2003-01-04 21:24:16 UTC
You forgot to set a LILO password.

Note You need to log in before you can comment on or make changes to this bug.