A newly discovered security issue in Devuan’s default installation allows for obtaining root privileges without a password.
Devuan emerged in 2014 due to Debian’s transition to systemd following a long technical and widely publicized dispute. It is a systemd-free distro, allowing users to choose between SysVinit, OpenRC, and runit for their init system.
User Nicolás Colla reports on his GitHub account that he discovered a severe security hole in the distro’s most recent version, Devuan 4.0 ‘Chimaera,’ released more than a year and a half ago, which our testing has confirmed. Here’s what it’s all about.
When you download and install the desktop-live Devuan image, you will be prompted to create a user account at the end of the process. However, if you do not want to enable the root account but want to grant the sudo privileges to the user’s account, choose the “Use sudo as default for new user? (and disable root account)” option.
What are the expectations? Of course, the root account is to be disabled. Unfortunately, however, it is not only not disabled but also allows switching to it without using a password. It is demonstrated below.
Things worsen when you discover you can log in to the Devuan system as the root user without a password.
So, if you installed Devuan using the desktop-live installation ISO and chose to disable the root account, you may have gotten a system with a root account with a blank password instead.
In other words, on a Devuan system with multiple users, you have reason to be seriously concerned since any one of the users can switch seamlessly to the root account.
What Actions Must the Devuan Users Take
The most obvious approach is to immediately set a password for the root account by switching to it and using the command below:
Another approach to protect your system is to disable the root account by locking the account’s password. Here’s how.
sudo passwd -l root
In our dedicated guide, you can learn more in-details about user password manipulation in Linux.
Devuan Developers Response
The good news is that the Devuan developers are already aware of the problem, and steps have been taken to fix it. In a post on the distribution’s forum, we can find the following message:
This bug is fixed in refractainstaller-base and refractainstaller-gui version 9.6.5 currently in ceres. It will migrate into daedalus next week. It’s also possible to download the packages from my sourceforge site.
However, given such a major security issue, why the Devuan installation desktop-live images have not yet been updated with new ones that include the necessary fix is puzzling. This is likely expected to happen during the next few days.