2

2 days ago some of the university staff asked me about 3 computers here.

All the computers are using Ubuntu and have the exact same password on the login screen for the superuser. Let's say StackPa$$word is the password. 3 computers refused the password.

Decided to hack and reset it. I've launched Ubuntu in recovery mode and I've selected root option in the recovery section. I've realized that it requested no password at all. Just entered command line as the root and I've typed mount -o rw,remount / followed by passwd <username>. It asked me for the new password and I've just entered it, and it accepted it.

Then I wanted to try it for the root, repeated the command as passwd root and it still worked. Now I've added a password of my choice to the root and also a password of my choice to the superuser.

Now I've full access to the computer and can use it for pretty much anything that I want to.

This concerns me way too much. Imagine 100~ computers are in the same situation. Also, if the user puts the password of their choice to the root and superuser, there's only one option, reinstalling the whole thing for that machine.

What do I do now? I wasn't working here before, so I noticed that when I started working. Should I just add passwd root to every single machine to ensure that no one will be able to access recovery terminal?

Also, let's say that I left the entire system like that. What could go wrong?

Please do enlighten me, thank you!

Polynomial
  • 132,208
  • 43
  • 298
  • 379
Tuğberk Kaan Duman
  • 170
  • 6
  • A university should have budget to have this done properly. If this issue exists, many more will do too. I suggest a full infra security audit of the environment. There are scanners that can scan policies such as "Is a password configured" for all machines. Look at Qualys Policy Compliance for example. Then harden all systems based on these policies and see the policy violations reduce. – Silver Aug 17 '17 at 21:12
  • Thank you, the budget is not really an issue. Seems like whoever first installed this system didn't take any of the security measurements. I'll look into it right now. @Silver – Tuğberk Kaan Duman Aug 17 '17 at 21:13
  • CIS has hardening guidelines for some Linux operating systems such as Ubuntu. It's a lot of work to configure these properly. Best you make a clean hardened system according to these guidelines and then install this version on all computers. As these are university computers I assume that user data is stored centrally on the network so reinstalling computers can happen without backup? – Silver Aug 17 '17 at 21:16
  • Correct. I don't really know much about this kind of stuff. Since my duty is to help the students during the laboratory sessions, but time to time I work on such cases and want to do it perfect. Thank you for your guiding. – Tuğberk Kaan Duman Aug 17 '17 at 21:18

1 Answers1

6

Oh dear. Sorry, but you goofed. You made a technical mistake and a legal mistake. You may be in trouble. Act carefully.

The legal mistake is that just because you can take control of a machine, doesn't mean you're allowed to. Only the proper authority is allowed to decide who has the root password. From my understanding of what you wrote, you are not the administrator of these machines, merely someone who uses them for your job. By changing the root passwords, you've removed some people's access to these machines. These people may legitimately be angry.

Advising you how to fix this mistake is off-topic here (try Academia if you want advice over the Internet). One way or another, you should go and tell the person in charge of these machines what you did. The person in charge may be a system administrator who should know what they're doing, or they may someone in an administrative position (e.g. dean of studies) who doesn't know the technical aspects. Either way, they set the policies: they decide who is allowed to log in on the university computers, not you. You may of course suggest changes, especially if the person in charge is non-technical, but they get the final word.

You made a technical mistake with the computers where the weak password didn't work. You never checked whether they had a root password. Nothing in what you did implies that the root account doesn't have a password! When you reboot in recovery mode, you get a root shell, there's no need for a password. When you run the passwd command as root, you aren't prompted for the old password: you're root anyway, so it would be pointless. With the other computers, you can still restore the old password by running passwd again. But with the computers where you used recovery mode, it's too late: the only way to restore the old password is to find a backup, or someone who knows the old password. There's still a chance that /etc/shadow- contains the old password: it's a backup of /etc/shadow that the passwd command creates automatically. But that's only helpful if there's a machine where you only ran passwd once, not if you ran it repeatedly.

You had two complaints about the security of these machines. Both complaints may or may not be legitimate depending on what security properties are expected.

  • Some machines had a weak root password. That may or may not be a problem. Is it a problem that people can be root on machines that are only used for student labs? That would depend on how the machines are used. If the machines are connected to the outside and the students enter their own credentials, then yes, it's a problem and you should raise it. On the other hand, if the machines are isolated and are wiped before doing anything that's graded, then it doesn't matter. Everybody may as well be root.
  • Anyone can take control of the machines if they have physical access. That is unavoidable. If someone has physical access to a computer, it's their computer. There may be a good reason to make it more difficult, at least to require opening the case (meaning, recovery mode should be protected by a password and booting from USB should be disabled). But once again it depends what the computers are used for.

You need to discuss this with the people who use the machines. You can't just barge in there and lock them out. Do voice your security concerns, but also listen to the people who know what's going on, and don't go behind people's backs.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • 1
    of course they know that I've changed the password on that one computer. Afterwards opening the computer and being able to enter the superuser I requested one of them to enter the old password for that account using passwd. They reset it to the old password. All my concern was this can easily be repeated by anyone who has access to the PC. Thanks to your suggestions, now I'll offer them to remove USB booting and setting another default password to recovery. – Tuğberk Kaan Duman Aug 18 '17 at 08:16