Devuan emerged in 2014 due to Debianโs transition to systemd following a long technical and widely publicized dispute. It is a systemd-free distro, allowing users to choose between SysVinit, OpenRC, and runit for their init system.
User Nicolรกs Colla reports on his GitHub account that he discovered a severe security hole in the distroโs most recent version, Devuan 4.0 โChimaera,โ released more than a year and a half ago, which our testing has confirmed. Hereโs what itโs all about.
The Issue
When you download and install the desktop-live Devuan image, you will be prompted to create a user account at the end of the process. However, if you do not want to enable the root account but want to grant the sudo privileges to the user’s account, choose the “Use sudo as default for new user? (and disable root account)” option.
What are the expectations? Of course, the root account is to be disabled. Unfortunately, however, it is not only not disabled but also allows switching to it without using a password. It is demonstrated below.
Things worsen when you discover you can log in to the Devuan system as the root user without a password.
So, if you installed Devuan using the desktop-live installation ISO and chose to disable the root account, you may have gotten a system with a root account with a blank password instead.
In other words, on a Devuan system with multiple users, you have reason to be seriously concerned since any one of the users can switch seamlessly to the root account.
What Actions Must the Devuan Users Take
The most obvious approach is to immediately set a password for the root account by switching to it and using the command below:
passwdAnother approach to protect your system is to disable the root account by locking the accountโs password. Here’s how.
sudo passwd -l root
In our dedicated guide, you can learn more in-details about user password manipulation in Linux.
Devuan Developers Response
The good news is that the Devuan developers are already aware of the problem, and steps have been taken to fix it. In a post on the distribution’s forum, we can find the following message:
This bug is fixed in refractainstaller-base and refractainstaller-gui version 9.6.5 currently in ceres. It will migrate into daedalus next week. It’s also possible to download the packages from my sourceforge site.
However, given such a major security issue, why the Devuan installation desktop-live images have not yet been updated with new ones that include the necessary fix is puzzling. This is likely expected to happen during the next few days.
