Bug #196
password vulnerability in R6's service menu
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | 12/31/1969 | |
| Assignee: |  jams |
% Done: | 0% |
|
| Category: | - | Spent time: | - | |
| Target version: | 6.00.04 |
Description
Upon exploring the service menu in R6 (service menu>linhes>password), I noticed that anyone can change my root password as well as passwords for other users from the Password section.
Related issues
| related to LinHES - Bug #111: password change process inconsistent with MythTV UI prece... | Closed |
History
Updated by tjc almost 16 years ago
The relationship with issue 111 is mostly circumstantial, but there's probably a fair amount of synergy in the possible resolutions...
Updated by tjc almost 16 years ago
Looks like these screens can be made inaccessible. I'll test that shortly and if so this can be closed. Possibly we should do this automatically after the initial setup is complete to prevent mischief...
Updated by tjc almost 16 years ago
Disabling these in the Access screen does block the use of the Password and Web security screens, but it's very weak protection since you can simply go back into the Access screen and enable them again. Kind of like "locking" your house with a 6" piece of duct tape stuck from the door knob to the door jamb. ;-)
Updated by graysky almost 16 years ago
Ha! You mean I should stop using duct tape to lock my door?! Anyway, can the permissions on the underlying scripts be changed so that only root can access them + hiding them in the menu after the initial run?
Updated by jams almost 13 years ago
- Target version changed from 7.2 to 6.00.04