Ubuntu security hole? (not super major, but wondering if it is anissue to report)

[towsonu2003]

Chanchao Wrote: 
> 

> HOWEVER, at this point it put me straight into a root shell!

> 'root at ubuntu #'   So it did not prompt for a root password (obviously,

> as there is none) but it also did not prompt for my own password.

did you file a bug report?



Cybe R. Wizard Wrote: 
> On Tue, 09 May 2006 11:04:18 +0700

> Chanchao <custom (AT) freenet (DOT) de> wrote:

> 

> > HOWEVER, at this point it put me straight into a root shell!

> > 'root at ubuntu #'   So it did not prompt for a root password
> (obviously,

> > as there is none) but it also did not prompt for my own password. Of

> > course it wouldn't know which username in the sudoers list to pick
> (in

> > my case there's only one), but the result was that the system opened

> > itself up with complete root access to whoever was sitting at the

> > keyboard.

> 

> As ever, if a black hat has physical access to the machine all
> security

> bets are off.  

> 

I hear this argument everytime a local user privilege escalation bug is
catched... I heard this even when the plaintext password bug was
discovered in Ubuntu. 

Dick Davies Wrote: 
> 

> The case we're talking about here is when the machine has major

> problems and can't mount it's disks. It's not on the network and isn't

> going to be without some help.

> 

> I don't think that's the time to throw obstacles in the way of a user

> who's trying to fix things, just to gain a false sense of security.

> 

Windows did it *ducks* as it removes the obstacles in the way of the
"user"...



I don't see anything wrong with assuming that any local or remote users
may be malicious (use the privilege escalation) or stupid (use rm after
privilege escalation).


-- 
towsonu2003