Your message dated Sat, 13 Jan 2007 19:17:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#406587: fixed in sysvinit 2.86.ds1-37
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Subject: init and telinit can reveal root pass on return from runlevel 1
Package: sysvinit
Version: 2.86.ds1-36
Severity: serious
Tags: security
Hi,
It seems that, upon returning from runlevel 1, init is failing to kill the
recovery console, which then tries to run the user's password as a command when
they try to log in again. /sbin/init and /sbin/telinit appear to give identical
results. An earlier version of sysvinit (2.86.ds1-15) doesn not appear to be
affected by this bug.
To reproduce:
1. log in as root at a local console.
2. run `init 1' to enter that runlevel.
3. enter root password (for maintenance).
4. run `init 2' to return to the original runlevel.
5. you should see a login: prompt. attempt to log in.
On my box, I got `bash: mypassword: command not found'. It's very embarrasing
to see your root pass echoed to a terminal.
Cheers,
L
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Versions of packages sysvinit depends on:
ii initscripts 2.86.ds1-36 Scripts for initializing and shutt
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libselinux1 1.32-3 SELinux shared libraries
ii libsepol1 1.14-1 Security Enhanced Linux policy lib
ii sysv-rc 2.86.ds1-36 System-V-like runlevel change mech
ii sysvinit-utils 2.86.ds1-36 System-V-like utilities
sysvinit recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: sysvinit
Source-Version: 2.86.ds1-37
We believe that the bug you reported is fixed in the latest version of
sysvinit, which is due to be installed in the Debian FTP archive:
initscripts_2.86.ds1-37_i386.deb
to pool/main/s/sysvinit/initscripts_2.86.ds1-37_i386.deb
sysv-rc_2.86.ds1-37_all.deb
to pool/main/s/sysvinit/sysv-rc_2.86.ds1-37_all.deb
sysvinit-utils_2.86.ds1-37_i386.deb
to pool/main/s/sysvinit/sysvinit-utils_2.86.ds1-37_i386.deb
sysvinit_2.86.ds1-37.diff.gz
to pool/main/s/sysvinit/sysvinit_2.86.ds1-37.diff.gz
sysvinit_2.86.ds1-37.dsc
to pool/main/s/sysvinit/sysvinit_2.86.ds1-37.dsc
sysvinit_2.86.ds1-37_i386.deb
to pool/main/s/sysvinit/sysvinit_2.86.ds1-37_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Petter Reinholdtsen <[EMAIL PROTECTED]> (supplier of updated sysvinit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 13 Jan 2007 20:04:35 +0100
Source: sysvinit
Binary: sysv-rc sysvinit-utils sysvinit initscripts
Architecture: source i386 all
Version: 2.86.ds1-37
Distribution: unstable
Urgency: medium
Maintainer: Debian sysvinit maintainers
<pkg-sysvinit-devel@lists.alioth.debian.org>
Changed-By: Petter Reinholdtsen <[EMAIL PROTECTED]>
Description:
initscripts - Scripts for initializing and shutting down the system
sysv-rc - System-V-like runlevel change mechanism
sysvinit - System-V-like init utilities
sysvinit-utils - System-V-like utilities
Closes: 406587
Changes:
sysvinit (2.86.ds1-37) unstable; urgency=medium
.
* Medium urgency as it solve an RC bug in etch.
* Replace 66_init_emerg_tty patch with one only creating a new
session group when sulogin is called directly from init, and not
as part of the runlevel start scripts, to avoid leaving the single
user shell behind when switching runlevel. Updated patch from Samuel
Thibault. (Closes:406587)
* Speed up shutdown 1 second by dropping sleep 1 in init.d/halt
introduced 2.86.ds1-12.
Files:
a710cf2730d8f529519de4fd94f7d2e2 968 admin required sysvinit_2.86.ds1-37.dsc
1330ba37fce6ff31a0f7f63b10abd3b7 178394 admin required
sysvinit_2.86.ds1-37.diff.gz
7d325561a2c845398da0da13398af838 107294 admin required
sysvinit_2.86.ds1-37_i386.deb
c421a9b2312b929fc2284410f7f27f40 65618 admin required
sysvinit-utils_2.86.ds1-37_i386.deb
53d67659fb0dd06a81d424b77a9bec1a 58864 admin required
initscripts_2.86.ds1-37_i386.deb
4ef17ecaba2b6a3a6986f46410341ab9 56014 admin required
sysv-rc_2.86.ds1-37_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFqS2020zMSyow1ykRAgdtAKCouCAEg8Cg1DPH2fRDLZ5Kmdxx+wCgmi06
KWmjkHlJS7snp8NQAp0bLA0=
=ys+x
-----END PGP SIGNATURE-----
--- End Message ---
