LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-19-2016, 03:16 AM   #1
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16
Blog Entries: 1

Rep: Reputation: Disabled
ls /etc | sh making root passwd empty in my linux box.


1> When i ran the command "ls /etc | sh", root password becomes empty. Using busybox-1.18.5. As of i know this passwd command changing busybox password.
2> So, my point here is about to solve the "ls /etc |sh" should not make the root password empty.

Output:
~ # ls /etc | sh
Changing password for root
New password:
Bad password: too short
Retype password:
Password for root changed by root

Here root password is empty now.
 
Old 08-19-2016, 03:22 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721
Quote:
As of i know this passwd command changing busybox password
Where is this information coming from?
 
Old 08-19-2016, 03:25 AM   #3
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
When enter the command passwd --help.
~ # passwd --help
BusyBox v1.18.5 (2016-08-18 19:07:10 IST) multi-call binary.
 
Old 08-19-2016, 03:27 AM   #4
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721
Code:
% busybox passwd --help
BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) multi-call binary.

Usage: passwd [OPTIONS] [USER]

Change USER's password (default: current user)

	-a ALG	Encryption method
	-d	Set password to ''
	-l	Lock (disable) account
	-u	Unlock (enable) account
the method you mentioned is not printed here.
 
Old 08-19-2016, 03:37 AM   #5
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
~ # ls /etc | sh
This command making root password becomes empty.

~ # passwd --hlep
passwd: unrecognized option `--hlep'
BusyBox v1.18.5 (2016-08-18 19:07:10 IST) multi-call binary.

Usage: passwd [OPTIONS] [USER]

Change USER's password. If no USER is specified,
changes the password for the current user.

Options:
-a ALG Algorithm to use for password (des, md5)
-d Delete password for the account
-l Lock (disable) account
-u Unlock (re-enable) account


My intention is to say this passwd command is busybox command.
But main issue is with "ls /etc | sh" command.
 
Old 08-19-2016, 03:53 AM   #6
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721
Quote:
~ # ls /etc | sh
This command making root password becomes empty.
where is this information coming from?
 
Old 08-19-2016, 04:01 AM   #7
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
where is this information coming from?
Executed this command in the shell of my linux box.
 
Old 08-19-2016, 04:11 AM   #8
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721
accidentally/occasionally it may work, but I think it is not recommended at all.

Quote:
But main issue is with "ls /etc | sh" command.
What is the issue you want to discuss?
 
Old 08-19-2016, 04:23 AM   #9
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
"ls /etc | sh" executed in shell.

The files under /etc directory is piped to sh. passwd file also present under the /etc directory.

Whenever the passwd file is piping to sh, sh treating that as a command, only when we have passwd command under /usr/bin.

So, shell executing that command and providing some input to passwd command, then making password empty.

i don't want to shell making password empty.
 
Old 08-19-2016, 04:25 AM   #10
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721
so do not execute that command
 
2 members found this post helpful.
Old 08-19-2016, 04:33 AM   #11
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Thanks,

we are using the cli in my product to execute the commands,

We have an option that we can execute shell commands from cli, so that time if anybody uses this command from cli my root password will becomes empty.

Then my box is open to that guy.

So, requires fix.

And one more thing, same command executed in the ubuntu system it is not allowing shell to change password.

Output on ubuntu:
# ls /etc | sh
Enter new UNIX password: Retype new UNIX password: passwd: Authentication token manipulation error
passwd: password unchanged
 
Old 08-19-2016, 05:31 AM   #12
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721
Only root allowed to change the root password and you cannot restrict root anyway. So he/she will be able to execute passwd -d and therefore will be able to set passwd to ''.
The result of ls /etc depends on the host itself (content of /etc), therefore ls /etc | sh may or may not change password (see post #8).
 
Old 08-19-2016, 06:21 AM   #13
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
It is always changing the root password, i need to solve this bug.
Thanks for you discussion.
 
Old 08-19-2016, 06:23 AM   #14
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,967

Rep: Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721Reputation: 5721
this is not a bug, you cannot solve it.
 
Old 08-19-2016, 06:28 AM   #15
sivagopiraju
LQ Newbie
 
Registered: Aug 2016
Posts: 16

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
But this is vulnerability to the product. So, should have some fix.

Is there any possibility to make filesystem read only when we are executing this command.

And is there any possibility to catch shell inputs from the code point of view.

Last edited by sivagopiraju; 08-19-2016 at 06:31 AM. Reason: adding some extra info
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux STB root passwd senderj Linux - Hardware 2 11-12-2015 03:44 AM
[SOLVED] forgot root passwd, kernel boot in single mode still asks for root passwd nass Slackware 11 05-08-2012 12:37 PM
Gentoo VNC, empty dialog box !! "Question" window is empty ! TheHushedCaskeT Linux - Software 0 02-01-2005 10:14 PM
I have forgot my linux root passwd shankha Linux - Security 2 09-13-2003 06:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 12:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration