Devuan Users Are at Risk, Take Action to Protect Your System

A newly discovered issue in Devuan's default installation allows for obtaining root privileges without using a password.

Devuan emerged in 2014 due to Debian’s transition to systemd following a long technical and widely publicized dispute. It is a systemd-free distro, allowing users to choose between SysVinit, OpenRC, and runit for their init system.

User Nicolás Colla reports on his GitHub account that he discovered a severe security hole in the distro’s most recent version, Devuan 4.0 ‘Chimaera,’ released more than a year and a half ago, which our testing has confirmed. Here’s what it’s all about.

The Issue

When you download and install the desktop-live Devuan image, you will be prompted to create a user account at the end of the process. However, if you do not want to enable the root account but want to grant the sudo privileges to the user’s account, choose the “Use sudo as default for new user? (and disable root account)” option.

What are the expectations? Of course, the root account is to be disabled. Unfortunately, however, it is not only not disabled but also allows switching to it without using a password. It is demonstrated below.

Switching to root account without password.

Things worsen when you discover you can log in to the Devuan system as the root user without a password.

Login as root on Devuan 4.0 without using a password.

So, if you installed Devuan using the desktop-live installation ISO and chose to disable the root account, you may have gotten a system with a root account with a blank password instead.

In other words, on a Devuan system with multiple users, you have reason to be seriously concerned since any one of the users can switch seamlessly to the root account.

What Actions Must the Devuan Users Take

The most obvious approach is to immediately set a password for the root account by switching to it and using the command below:

passwd

Another approach to protect your system is to disable the root account by locking the account’s password. Here’s how.

sudo passwd -l root

In our dedicated guide, you can learn more in-details about user password manipulation in Linux.

Devuan Developers Response

The good news is that the Devuan developers are already aware of the problem, and steps have been taken to fix it. In a post on the distribution’s forum, we can find the following message:

This bug is fixed in refractainstaller-base and refractainstaller-gui version 9.6.5 currently in ceres. It will migrate into daedalus next week. It’s also possible to download the packages from my sourceforge site.

However, given such a major security issue, why the Devuan installation desktop-live images have not yet been updated with new ones that include the necessary fix is puzzling. This is likely expected to happen during the next few days.

Tell others:

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Linux News You'll Love!

Craving the latest in Linux? Get your weekly fix with our newsletter. It's everything Linux, straight to your inbox! It's fun, it's free, and it's full of insights!

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

United, we are stronger

Humanity to others

A god of wisdom worshipped by the Zulu tribe

2 / 10

Who is the Ubuntu's founder?

Mark Shuttleworth

Richard Stallman

Linus Torvalds

3 / 10

What year was the first official Ubuntu release?

2001

2002

2004

4 / 10

What does the Ubuntu logo symbolize?

South African symbol representing unity

Circle of friends

Astronomical symbol for satellites of a star

5 / 10

What package format does Ubuntu use for installing software?

RPM

DEB

TGZ

6 / 10

When are Ubuntu's LTS versions released?

Every two years, in April

After two minor releases

Following the release of a major Debian version

7 / 10

What is Unity?

An event-based replacement for the traditional init system used in Ubuntu

Ubuntu's display server

Desktop environment

8 / 10

What are Ubuntu versions named after?

Animals

Constellations

Cartoons' characters

9 / 10

What's Ubuntu Core?

An immutable version of Ubuntu for IoT and embedded systems

Module to Linux kernel used by Ubuntu

The main CI/CD system used in the development of Ubuntu

10 / 10

Which Ubuntu version is Snap introduced?

Ubuntu 16.04 LTS (Xenial Xerus)

Ubuntu 18.04 LTS (Bionic Beaver)

Ubuntu 19.10 (Eoan Ermine)

The average score is 68%

Devuan Users Are at Risk, Take Action to Protect Your System

The Issue

What Actions Must the Devuan Users Take

Devuan Developers Response

Tell others:

Bobby Borisov

Linux News You'll Love!

TRENDING

Support US

Leave a ReplyCancel Reply

The Issue

What Actions Must the Devuan Users Take

Devuan Developers Response

Tell others:

Bobby Borisov

Linux News You'll Love!

Related Posts

Peppermint Mini ISOs Get a Major Update

Peppermint Mini: The Newest Member of the Peppermint OS Family

Devuan 5 (Daedalus) Released for the Purist GNU/Linux Users

Devuan Forgot to Renew the Key That Signs System Updates

Leave a ReplyCancel Reply