On Wed, Feb 25, 2009 at 12:02:58AM -0500, Michael Gilbert wrote: > since there is no root password set up during installation, a local > attacker can simply boot into the root account (without being prompted > for a password) via single user mode ("single" kernel option).
Have you tested that this is actually the case? "no password" != "empty password". Booting in single user mode should not allow you to bypass the password prompt, and if it does, that's a bug in the sulogin program. > [1] discusses the details of the method for password recovery, but the > same can be used for malicious purposes, of course. > [1] http://linuxwave.blogspot.com/2008/09/ubuntu-forgotten-password.html This link explicitly shows overriding the init value in the bootloader. That doesn't appear to have anything to do with vulnerabilities with how the root account is set up. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org