Tiny Core Base > TCB Q&A Forum

Big security flaw with custom user and noautologin

(1/3) > >>

baz:
If you specify a custom user and noautologin in the bootcodes (already having set the passwords and all) you can simply bypass it all by providing the user "tc" with no password to get into the system.

Please let me know if I should not report problems or issues regarding custom users since bmarkus let me know in another thread that focus on this is being delayed to a later date.

Baz

gerald_clark:
Did you also set a password for tc?

baz:
No, went directly to custom user. That would very likely work but should be documented I guess

baz:
Another issue actually - and perhaps I am misunderstanding how this is supposed to work - if I am using the default user "TC" (on a fresh install without ever having specified a custom user) and I want to specify noautologin - I first have to temporarily provide the bootcode "secure" to set the passwords. Once those are set, I remove the "secure" bootcode, and provide /etc/shadow to .filetool.lst, is this correct?

The problem is if I do that, and reboot, TC does not require a password, but if I keep the "secure" bootcode I am asked to redo my passwords at every boot.

Thoughts?

danielibarnes:
Are you certain the backup containing your custom etc/shadow was restored?

I agree that if you specify a custom user the tc user should not even be present, but that likely involves a lot of changes and testing so I figure it will be investigated after 2.9 is released.

Navigation

[0] Message Index

[#] Next page