Red Hat Bugzilla – Bug 927922
root account accessible without password when administrator user is created but no root passwd set
Last modified: 2013-05-13 13:14:01 EDT
Description of problem:
root is able to login without providing a password if new user account is created during the installation and it is set as administrator of the system.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. start installation
2. proceed through partitioning and package set selection (tested with minimal package set)
3. create new user - make him administrator of the system and enter password for this account
4. do NOT set any password for root
5. finish the installation and reboot to installed system
6. try to login as root
root is able to login without entering password
root is not able to login since no password was specified during the installation
reproduced during both text and graphical installation
Created attachment 716532 [details]
Created attachment 716533 [details]
Created attachment 716534 [details]
Created attachment 716535 [details]
Created attachment 716536 [details]
Created attachment 716537 [details]
I just reproduced this too with TC3.
Proposing as an Alpha blocker since I think we really should not ship
even Alpha with this kind of vulnerability present.
Root login should be disabled if no root passwd is setup by anaconda.
Discussed at 2013-04-03 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-04-03/f19alpha-blocker-review-4.2013-04-03-16.01.log.txt . Rejected as a blocker: we just don't see this as serious enough. Alpha is not meant to be deployed in any kind of production scenario. You can't log in via ssh to a password-less account, hence this isn't (obviously) remotely exploitable. You still have to manually decide not to enter a root password and then create an admin user to cause this. It's a bug, yeah, but it doesn't hit any criteria and no-one seemed particularly keen to make it a blocker.
Accepted as a freeze exception bug, though: it's always nice to fix security issues if the fix isn't too invasive.
(Still true for TC4)
Reproduced in TC6.
anaconda-19.23-1.fc19 has been submitted as an update for Fedora 19.
Re-proposing as Beta FE, just in case, since it was Alpha FE (but we should get this fixed before freeze hits anyway).
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-19.23-1.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
anaconda-19.24-1.fc19 has been submitted as an update for Fedora 19.
Retested with F19-Beta-TC3 (anaconda-19.24-1). If no root password is entered during installation, root is not able to login later on installed system.
Moving to VERIFIED.
19.25 went stable; closing.