Backing up from final installation dialog results in blank root password

it was an alternate normal install on amd64

How did you respond to the root password questions when installing?

i was only prompted for normal user passwords, ive asked seveas in
#ubuntu on freenode to confirm for me, havent heard from him yet, he
can be trusted.

On 6/5/06, Matt Zimmerman <email address hidden> wrote:
> How did you respond to the root password questions when installing?
>
> --
> local root exploit
> https://launchpad.net/bugs/48350
>

I just tested this on the Dapper release candidate (which happened to be what I had handy) and didn't experience this bug. I'm not aware of any relevant changes between RC and release.

Could you please attach /var/log/installer/syslog to this bug? Thanks.

On 6/5/06, Colin Watson <email address hidden> wrote:
> I just tested this on the Dapper release candidate (which happened to be
> what I had handy) and didn't experience this bug. I'm not aware of any
> relevant changes between RC and release.
>
> Could you please attach /var/log/installer/syslog to this bug? Thanks.
>
> --
> local root exploit
> https://launchpad.net/bugs/48350
>

Iwan, I'm afraid e-mail attachments don't work in this bug tracking system yet; you need to use the "Add Attachment" link on the bug's web page.

syslog from the install

This is a problem with user-setup; because its prebaseconfig script runs before prebaseconfig's final message and isn't idempotent, if you back up from the final message and then go forward again, it will break.

Ironically, this is because we were being zealous in avoiding the information leak in the Breezy installer. Making sure that the password is cleared out of the cdebconf database when user-setup-apply runs means that if user-setup-apply is run again then it no longer has the information it needs to do things properly ...

Fixing this on upgrades would require an update to something like shadow (selected somewhat arbitrarily).

i looked @ syslog, didnt see anything interesting, how did you determine where the bug was? am wondering how you picked it out?

i think the problem was when i setup raid, i have sda1 sdb1 as ext3 and mounted as root / and swap sda2 sdb2, i went back when the installer told me I forgot to specify a swap partition

I had a suspicion of what the bug might be, and confirmed it by looking at the log messages from prebaseconfig. Note how "prebaseconfig: info: Running /usr/lib/prebaseconfig.d/06user-setup" appears twice with an intervening backup.

No, you going back in the partitioner did not cause this bug.

any person with a normal user account can ssh into my system and gain root, though most ppl dont install ssh, but does't this bug qualify as more than normal severity?

If you like, but I don't think the severity much matters; we'll be dealing with this ASAP after dapper-security opens regardless of the severity.

user-setup (1.1ubuntu4) dapper-security; urgency=low

  * Refuse to apply an empty root password, which can happen if
    user-setup-apply is run twice due to backing up from prebaseconfig's
    final message (closes: Malone #48350).

 -- Colin Watson <email address hidden> Mon, 10 Jul 2006 17:43:34 +0100

I've also included this change in edgy.

shadow (1:4.0.13-7ubuntu3.2) dapper-security; urgency=low

  * Tidy up after Malone bug #48350, which left an empty root password if
    you backed up from the installer's final message, by locking the root
    password if this condition is detected. Unfortunately I don't know of a
    reliable way to tell whether this situation arose due to the installer
    bug or deliberately, so the postinst is verbose and we make sure only to
    make this change once.

 -- Colin Watson <email address hidden> Tue, 11 Jul 2006 09:44:49 +0100

I've also included this change in edgy.

A USN will be issued shortly.

Dapper fixed in http://www.ubuntu.com/usn/usn-316-1. Edgy was fixed yesterday, closing.

I made the bug public since the USN refers to it and it's now fixed.

I leave the user-setup task open; USN-316-1 updated the packages in the archive, but this should be closed when we released Dapper point release images.

Dapper point release was published ages ago, closing.