Description of problem: root is able to login without providing a password if new user account is created during the installation and it is set as administrator of the system. Version-Release number of selected component (if applicable): F19-Alpha-TC2 anaconda-19.13 How reproducible: always Steps to Reproduce: 1. start installation 2. proceed through partitioning and package set selection (tested with minimal package set) 3. create new user - make him administrator of the system and enter password for this account 4. do NOT set any password for root 5. finish the installation and reboot to installed system 6. try to login as root Actual results: root is able to login without entering password Expected results: root is not able to login since no password was specified during the installation Additional info: reproduced during both text and graphical installation
Created attachment 716532 [details] anaconda.log
Created attachment 716533 [details] anaconda.packaging.log
Created attachment 716534 [details] anaconda.program.log
Created attachment 716535 [details] anaconda.storage.log
Created attachment 716536 [details] passwd
Created attachment 716537 [details] syslog
I just reproduced this too with TC3. Proposing as an Alpha blocker since I think we really should not ship even Alpha with this kind of vulnerability present.
Root login should be disabled if no root passwd is setup by anaconda.
Discussed at 2013-04-03 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-04-03/f19alpha-blocker-review-4.2013-04-03-16.01.log.txt . Rejected as a blocker: we just don't see this as serious enough. Alpha is not meant to be deployed in any kind of production scenario. You can't log in via ssh to a password-less account, hence this isn't (obviously) remotely exploitable. You still have to manually decide not to enter a root password and then create an admin user to cause this. It's a bug, yeah, but it doesn't hit any criteria and no-one seemed particularly keen to make it a blocker. Accepted as a freeze exception bug, though: it's always nice to fix security issues if the fix isn't too invasive.
(Still true for TC4)
Reproduced in TC6.
anaconda-19.23-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/anaconda-19.23-1.fc19
Re-proposing as Beta FE, just in case, since it was Alpha FE (but we should get this fixed before freeze hits anyway).
Package anaconda-19.23-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing anaconda-19.23-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7049/anaconda-19.23-1.fc19 then log in and leave karma (feedback).
anaconda-19.24-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/anaconda-19.24-1.fc19
Retested with F19-Beta-TC3 (anaconda-19.24-1). If no root password is entered during installation, root is not able to login later on installed system. Moving to VERIFIED.
19.25 went stable; closing.