A newly discovered issue in Devuan's default installation allows for obtaining root privileges without using a password.

Devuan Users Are at Risk, Take Action to Protect Your System

Devuan emerged in 2014 due to Debianโ€™s transition to systemd following a long technical and widely publicized dispute. It is a systemd-free distro, allowing users to choose between SysVinit, OpenRC, and runit for their init system.

User Nicolรกs Colla reports on his GitHub account that he discovered a severe security hole in the distroโ€™s most recent version, Devuan 4.0 โ€˜Chimaera,โ€™ released more than a year and a half ago, which our testing has confirmed. Hereโ€™s what itโ€™s all about.

The Issue

When you download and install the desktop-live Devuan image, you will be prompted to create a user account at the end of the process. However, if you do not want to enable the root account but want to grant the sudo privileges to the user’s account, choose the “Use sudo as default for new user? (and disable root account)” option.

Create a Devuan user account.
Create a Devuan user account.

What are the expectations? Of course, the root account is to be disabled. Unfortunately, however, it is not only not disabled but also allows switching to it without using a password. It is demonstrated below.

Switching to root account without password.
Switching to root account without password.

Things worsen when you discover you can log in to the Devuan system as the root user without a password.

Login as root on Devuan 4.0 without using a password.
Login as root on Devuan 4.0 without using a password.

So, if you installed Devuan using the desktop-live installation ISO and chose to disable the root account, you may have gotten a system with a root account with a blank password instead.

In other words, on a Devuan system with multiple users, you have reason to be seriously concerned since any one of the users can switch seamlessly to the root account.

What Actions Must the Devuan Users Take

The most obvious approach is to immediately set a password for the root account by switching to it and using the command below:

passwd

Another approach to protect your system is to disable the root account by locking the accountโ€™s password. Here’s how.

sudo passwd -l root
Locking the root account password.
Locking the root account password.

In our dedicated guide, you can learn more in-details about user password manipulation in Linux.

Devuan Developers Response

The good news is that the Devuan developers are already aware of the problem, and steps have been taken to fix it. In a post on the distribution’s forum, we can find the following message:

This bug is fixed in refractainstaller-base and refractainstaller-gui version 9.6.5 currently in ceres. It will migrate into daedalus next week. It’s also possible to download the packages from my sourceforge site.

However, given such a major security issue, why the Devuan installation desktop-live images have not yet been updated with new ones that include the necessary fix is puzzling. This is likely expected to happen during the next few days.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%