Your message dated Fri, 12 Jan 2007 15:58:59 +1300
with message-id <[EMAIL PROTECTED]>
and subject line Bug#406588: Acknowledgement (init and telinit can reveal root
pass on return from runlevel 1)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: sysvinit
Version: 2.86.ds1-36
Severity: serious
Tags: security
Hi,
It seems that, upon returning from runlevel 1, init is failing to kill the
recovery console, which then tries to run the user's password as a command when
they try to log in again. /sbin/init and /sbin/telinit appear to give identical
results. An earlier version of sysvinit (2.86.ds1-15) doesn not appear to be
affected by this bug.
To reproduce:
1. log in as root at a local console.
2. run `init 1' to enter that runlevel.
3. enter root password (for maintenance).
4. run `init 2' to return to the original runlevel.
5. you should see a login: prompt. attempt to log in.
On my box, I got `bash: mypassword: command not found'. It's very embarrasing
to see your root pass echoed to a terminal.
Cheers,
L
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Versions of packages sysvinit depends on:
ii initscripts 2.86.ds1-36 Scripts for initializing and shutt
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libselinux1 1.32-3 SELinux shared libraries
ii libsepol1 1.14-1 Security Enhanced Linux policy lib
ii sysv-rc 2.86.ds1-36 System-V-like runlevel change mech
ii sysvinit-utils 2.86.ds1-36 System-V-like utilities
sysvinit recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Please close; duplicated in 406587.
L
On 20070111 18:48:27, Debian Bug Tracking System spoke thusly:
> Thank you for the problem report you have sent regarding Debian.
> This is an automatically generated reply, to let you know your message has
> been received. It is being forwarded to the package maintainers and other
> interested parties for their attention; they will reply in due course.
>
> Your message has been sent to the package maintainer(s):
> Debian sysvinit maintainers <pkg-sysvinit-devel@lists.alioth.debian.org>
>
> If you wish to submit further information on your problem, please send
> it to [EMAIL PROTECTED] (and *not* to
> [EMAIL PROTECTED]).
>
> If you have filed this report in error and wish to close it, please
> send mail to [EMAIL PROTECTED] with an explanation
> why the bug report should be closed.
>
> Please do not reply to the address at the top of this message,
> unless you wish to report a problem with the Bug-tracking system.
>
> Debian bug tracking system administrator
> (administrator, Debian Bugs database)
--- End Message ---
