package: debian-installer severity: important tags: security there is now an option in the expert mode of the debian-installer that allows the user to install their system without a root account (replacing it with sudo priviledges for the default user). this exposes a loophole that enables local attackers to easily obtain root access.
details: since there is no root password set up during installation, a local attacker can simply boot into the root account (without being prompted for a password) via single user mode ("single" kernel option). then, he/she can do all kinds of malicious things, but the easiest would be to simply change the root password...thus owning the machine. and since the user never logs in with the root password him/herself, he/she would never realize that an attacker had gotten in (unless he/she diligently reviews logs). [1] discusses the details of the method for password recovery, but the same can be used for malicious purposes, of course. potential solutions: 1. always create a root password (e.g. set up a random root password, rather than no password, during the no root debian-installer setup page). note that this may currently be done since "su" itself asks for a password. 2. drop the user to a full login prompt when booting into single user mode; thus requiring a valid user account and sudo to perform administrative actions. note that it may be possible to circumvent this via the "init" kernel option, for example "init=/bin/bash". 3. disable the no-root setup page in debian-installer. the third option may be the easiest to implement immediately -- especially since it's an experimental option in the expert mode of the installer. the second option is probably the most robust, but might be easily circumvented, and would require changes in single user mode such as automatically mounting /home, which may make single user mode harder to use (one use case for this mode is to recover or scan /home, and if it's mounted, that's more difficult). justification for why a fix for this problem is necessary: there are levels of vulnerability/security. at the lowest level are pure software vulnerabilities (such as this issue), which require absolutely no effort for a local attacker. however, for a hardware-assisted exploit, it requires surrepticious entry, more time, and more preparedness (and it looks suspicious, and can be somewhat prevented by limiting access to areas via locks, valid users only, etc). the user can also increase their security by disabling boot from media in the bios, which would force the attacker to spend more time to crack open the machine, which is even more suspicious. at each level, it takes more and more time for the attacker to exploit the vulnerability, thus increasing the chance of detecting them. less than a minute for the software exploit, 10s of minutes for hardware assisted and longer for resetting the bios. severity: note that the severity of this problem is fairly low right now since no-root is a non-default option in the "expert" installer. hence, few debian systems are likely exposed; but regardless, this problem should be fixed asap. note that no-root has been the default installer behavior for ubuntu (since at least dapper i think), so it is a much more severe issue for them. [1] http://linuxwave.blogspot.com/2008/09/ubuntu-forgotten-password.html -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org