Ubuntu
pam package

root login possible on console without auth check

Bug #121321 reported by JensKiel
4
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Invalid
Low
Kees Cook

Bug Description

Binary package hint: libpam-runtime

When I go to the console (tty1 tty2 ...), e.g., by typing C-A-F1, I can login as root without a password. This is a security risk (in my opinion) for
computers that are unsupervised in public areas.

My system is an i386 Samsung notbook running feisty.

The root account is passwordless by default in an Ubuntu-system and I usually do 'sudo whatever' for admininstration puposes.
This is in accordance to Ubuntu philosophy.

The console login is pam-controled and the file /etc/pam.d/common-auth contains the line

    auth required pam_unix.so nullok_secure

which is the trouble maker. The option 'nullok_secure' is Ubuntu specific and if I understand the source (I have found no documentation)
it allows console login for passwordless users.

I think that 'root' should be excluded from this. For my system I remove the option 'nullok_secure' from 'auth' to make my
system more secure.

Maybe this is already known or even desired by design, but I think it should not be like this. At least users schould be warned.

At first, can anyone try to reproduce this. Maybe I screwed up something else.

Thanks in advance. And thanks for Ubuntu.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better.

The default root password does not exist (rather than being "empty"). You can verify this with:

  sudo grep root /etc/shadow

It should report a line starting with:

  root:!:....

The "!" means the password is locked. With a default Feisty install, I am not able to log in as root as you've described. Have you made any changes to root's password or your PAM configurations?

Thanks in advance.

Changed in pam:
assignee: nobody → keescook
importance: Undecided → Low
status: Unconfirmed → Needs Info
Revision history for this message
JensKiel (jxkrause) wrote :

Thanks, Kees, for your answer.

In fact on my system

sudo grep root /etc/shadow

gives

root::...

(No '!'). My mistake was the following. There was one application that asked for a root password for installation. I did this
temporarily and used "passwd -d" for deletion. Now I learnt that one should call "passwd -l" (minus ell) for doing this. Mea
culpa: the Ubuntus documentation says so somewhere.

Consider the problem solved.

Regards,
Jens

Revision history for this message
Kees Cook (kees) wrote :

Great! Thanks for checking into the problem. I've closed the bug.

Changed in pam:
status: Needs Info → Rejected
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.