Bug 927922 - root account accessible without password when administrator user is created but no root passwd set
root account accessible without password when administrator user is created b...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
19
All Linux
high Severity high
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
:
Depends On:
Blocks: F19Beta-accepted/F19BetaFreezeException
  Show dependency treegraph
 
Reported: 2013-03-26 10:08 EDT by Jan Stodola
Modified: 2013-05-13 13:14 EDT (History)
11 users (show)

See Also:
Fixed In Version: anaconda-19.23-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-13 13:14:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
anaconda.log (12.95 KB, text/plain)
2013-03-26 10:11 EDT, Jan Stodola
no flags Details
anaconda.packaging.log (977.00 KB, text/plain)
2013-03-26 10:11 EDT, Jan Stodola
no flags Details
anaconda.program.log (36.25 KB, text/plain)
2013-03-26 10:11 EDT, Jan Stodola
no flags Details
anaconda.storage.log (136.59 KB, text/plain)
2013-03-26 10:11 EDT, Jan Stodola
no flags Details
passwd (1.20 KB, text/plain)
2013-03-26 10:12 EDT, Jan Stodola
no flags Details
syslog (86.26 KB, text/plain)
2013-03-26 10:12 EDT, Jan Stodola
no flags Details

  None (edit)
Description Jan Stodola 2013-03-26 10:08:17 EDT
Description of problem:
root is able to login without providing a password if new user account is created during the installation and it is set as administrator of the system.

Version-Release number of selected component (if applicable):
F19-Alpha-TC2
anaconda-19.13

How reproducible:
always

Steps to Reproduce:
1. start installation
2. proceed through partitioning and package set selection (tested with minimal package set)
3. create new user - make him administrator of the system and enter password for this account
4. do NOT set any password for root
5. finish the installation and reboot to installed system
6. try to login as root
  
Actual results:
root is able to login without entering password

Expected results:
root is not able to login since no password was specified during the installation

Additional info:
reproduced during both text and graphical installation
Comment 1 Jan Stodola 2013-03-26 10:11:38 EDT
Created attachment 716532 [details]
anaconda.log
Comment 2 Jan Stodola 2013-03-26 10:11:47 EDT
Created attachment 716533 [details]
anaconda.packaging.log
Comment 3 Jan Stodola 2013-03-26 10:11:54 EDT
Created attachment 716534 [details]
anaconda.program.log
Comment 4 Jan Stodola 2013-03-26 10:11:58 EDT
Created attachment 716535 [details]
anaconda.storage.log
Comment 5 Jan Stodola 2013-03-26 10:12:02 EDT
Created attachment 716536 [details]
passwd
Comment 6 Jan Stodola 2013-03-26 10:12:06 EDT
Created attachment 716537 [details]
syslog
Comment 7 Jens Petersen 2013-04-02 05:28:40 EDT
I just reproduced this too with TC3.

Proposing as an Alpha blocker since I think we really should not ship
even Alpha with this kind of vulnerability present.
Comment 8 Jens Petersen 2013-04-02 20:40:15 EDT
Root login should be disabled if no root passwd is setup by anaconda.
Comment 9 Adam Williamson 2013-04-03 13:11:38 EDT
Discussed at 2013-04-03 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-04-03/f19alpha-blocker-review-4.2013-04-03-16.01.log.txt . Rejected as a blocker: we just don't see this as serious enough. Alpha is not meant to be deployed in any kind of production scenario. You can't log in via ssh to a password-less account, hence this isn't (obviously) remotely exploitable. You still have to manually decide not to enter a root password and then create an admin user to cause this. It's a bug, yeah, but it doesn't hit any criteria and no-one seemed particularly keen to make it a blocker.

Accepted as a freeze exception bug, though: it's always nice to fix security issues if the fix isn't too invasive.
Comment 10 Jens Petersen 2013-04-03 23:33:10 EDT
(Still true for TC4)
Comment 11 Sander Salazar 2013-04-14 15:05:51 EDT
Reproduced in TC6.
Comment 12 Fedora Update System 2013-04-30 08:22:25 EDT
anaconda-19.23-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/anaconda-19.23-1.fc19
Comment 13 Adam Williamson 2013-04-30 14:45:45 EDT
Re-proposing as Beta FE, just in case, since it was Alpha FE (but we should get this fixed before freeze hits anyway).
Comment 14 Fedora Update System 2013-04-30 16:01:37 EDT
Package anaconda-19.23-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-19.23-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7049/anaconda-19.23-1.fc19
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2013-05-03 17:05:32 EDT
anaconda-19.24-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/anaconda-19.24-1.fc19
Comment 16 Jan Stodola 2013-05-06 08:08:21 EDT
Retested with F19-Beta-TC3 (anaconda-19.24-1). If no root password is entered during installation, root is not able to login later on installed system.

Moving to VERIFIED.
Comment 17 Adam Williamson 2013-05-13 13:14:01 EDT
19.25 went stable; closing.

Note You need to log in before you can comment on or make changes to this bug.