Bug 8390
| Summary: | root gained without password | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Steve Willoughby <willoughby_s> |
| Component: | SysVinit | Assignee: | Bill Nottingham <notting> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | rhw, rvokal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2000-01-13 16:20:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Steve Willoughby
2000-01-12 01:16:04 UTC
You can do the same thing with 'linux init=/bin/bash'. Without restricting lilo (look at the password options), restricting 'linux single' is somewhat pointless. I have to admit that's one thing I would like to see changed, preferably so it
works along the lines of the following logic:
1. At the moment, the "password=" line specifies the password to use. I
would prefer to see this replaced with a "user=" line specifying the
user whose password is to be used.
2. When `lilo` is run and sees a "user=" line, it asks the user running
it for a password and validates it against the login password of the
specified user, aborting if they don't match.
3. If the password matches, lilo stores an encrypted version thereof in
the relevant boot sector as part of its duties, and it is this that
is used during system boot if a password is required.
Apart from anything else, this would remove a security risk from Linux.
|