Subject: init and telinit can reveal root pass on return from runlevel 1 Package: sysvinit Version: 2.86.ds1-36 Severity: serious Tags: security
Hi, It seems that, upon returning from runlevel 1, init is failing to kill the recovery console, which then tries to run the user's password as a command when they try to log in again. /sbin/init and /sbin/telinit appear to give identical results. An earlier version of sysvinit (2.86.ds1-15) doesn not appear to be affected by this bug. To reproduce: 1. log in as root at a local console. 2. run `init 1' to enter that runlevel. 3. enter root password (for maintenance). 4. run `init 2' to return to the original runlevel. 5. you should see a login: prompt. attempt to log in. On my box, I got `bash: mypassword: command not found'. It's very embarrasing to see your root pass echoed to a terminal. Cheers, L -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-686 Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Versions of packages sysvinit depends on: ii initscripts 2.86.ds1-36 Scripts for initializing and shutt ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries ii libselinux1 1.32-3 SELinux shared libraries ii libsepol1 1.14-1 Security Enhanced Linux policy lib ii sysv-rc 2.86.ds1-36 System-V-like runlevel change mech ii sysvinit-utils 2.86.ds1-36 System-V-like utilities sysvinit recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
