[dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell

Robert Nichols rnicholsNOSPAM at comcast.net
Tue Nov 15 23:51:15 CET 2016


On 11/15/2016 01:42 PM, Sven Eschenberg wrote:
>
>
> Am 15.11.2016 um 20:19 schrieb Robert Nichols:
>> sulogin is going to be hard to do if the root filesystem (where
>> /etc/shadow resides) has not been decrypted. You would have to have some
>> alternative password mechanism, and you can already accomplish that in
>> GRUB with password-protected alternatives.
>>
>
> No, the root filesystem is the initram (initrd) until rootfs is switched
> over - all you have to do is adding a passwd(file) with an entry to it.
> You won't need shadow anyway, since the only login supported is a root
> login, which implies full access to shadow (usually). Of course you
> would probably not want to just grep the root line from the system, but
> generate a single line passwd(file) with an entry for root with some
> seperate password. If you trust on the cryptographic strength of the
> hashing and salting in the passwd/shadow files, you could include them
> aswell and support user and root logins with sulogin (during initrd).
> Using shadow in this particular case makes sense again.

As I said, "some alternative password mechanism."

FWIW in Red Hat systems, at least, there are several values you can pass 
for "rdbreak=" in the boot parameters that will cause the initrd script 
to drop into a debug shell before the decryption password is ever 
requested. It is a long-standing truism that without physical security, 
there is no protection for unencrypted storage on the system.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.



More information about the dm-crypt mailing list