Sulogin CTRL-C Security Issue

[Marek Psiuk]

Hello

I've been recently trying to harden Ubuntu on some Notebook.
I've set the password for BIOS and for grub (recovery mode ), i've
disabled also booting from any removable media. While testing
the outcome of my hardening i started to play with initscripts. 

It showed up that when i press Ctri+C during booting, exactly
when the script checroot.sh is executed i get a root prompt.

At first it was a big shock, but when i started to digging in the system
( and ubuntu's mailinglists ) it was obvious that this issue is triggered
by the special ubuntu's sudo policy ( which appeared quite interesting ) , 
which forced patching sulogin - letting in without a password if a root
account is blocked.

I understand the Ubuntu's sudo approach, but such a Security Hole
is unacceptable to me. I know that if someone has a physical access
to the PC, he ows it, but this is like a invitation "Please Hack My BOX".
Anyone cat r00t a box within a minute .....

Maybe the sulogin-patch approach is OK and the thing that's messed
up i trapping of SIGINT. Anyways to temporarily solve this problem
i've enabled the root account.

Regards
Rotgier <psiuk at student agh edu pl>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050908/26062736/attachment.html>