Bug 23406 - if install is cancelled after bootloader installed but before root password and user info entered, will boot to a system with "live" as user with no password and no root password
Summary: if install is cancelled after bootloader installed but before root password a...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: Mageia 7
Assignee: Mageia tools maintainers
QA Contact:
URL:
Whiteboard: MGA6.1TOO
Keywords: 6.1
Depends on:
Blocks:
 
Reported: 2018-08-07 22:43 CEST by ben mcmonagle
Modified: 2018-11-13 00:42 CET (History)
4 users (show)

See Also:
Source RPM: draklive-install?
CVE:
Status comment:


Attachments

Description ben mcmonagle 2018-08-07 22:43:04 CEST
Description of problem: see summary. this is a non-secure system. it would be better to install root password and user info  before installing the bootloader and rebooting the system. the other necessary things to setup during 1st boot like dkms wifi modules and online repos should still occur.


Version-Release number of selected component (if applicable):


How reproducible: every time. 


Steps to Reproduce:
1.start live install from either desktop or boot menu install and reboot upon completion as indicated.
2.at the set root password and user info choose "cancel"
3.log in to installed system as user "live"
4.invoke terminal and change to root via "su -". no password is required.
ben mcmonagle 2018-08-07 22:59:10 CEST

Keywords: (none) => 6.1

Comment 1 Marja Van Waes 2018-08-09 22:26:48 CEST
I had never noticed the "cancel" button.

Does anyone know why it was added?

Version: 6 => Cauldron
CC: (none) => isobuild, marja11
Whiteboard: (none) => MGA6.1TOO
Assignee: bugsquad => mageiatools

Comment 2 Martin Whitaker 2018-08-11 00:04:55 CEST
(In reply to Marja Van Waes from comment #1)
> I had never noticed the "cancel" button.
> 
> Does anyone know why it was added?

The dialogue box is a shared component used for many purposes. Anything that uses that component gets the OK and Cancel buttons.

I've gone back and tested a few old ISOs.

Mageia 4 Live GNOME:
Clicking on cancel causes the machine to halt.
Rebooting takes you to the point where the DM is about to start, but then the machine just dies. But I can't get that ISO to boot to a working desktop in any way, so don't read too much into that.

Mageia 5 Live GNOME
Clicking on cancel causes the machine to reboot. But it then boots straight to the login screen and lets you login as "live" with no password.

Mageia 6 Live GNOME
As with the 6.1 ISOs, clicking on cancel takes you straight to the login screen.

So the behaviour has changed a bit, but it has always left you with an insecure system if you click on cancel.

CC: (none) => mageia

Comment 3 Thomas Backlund 2018-08-11 00:09:42 CEST
and its nothing that needs fixing for 6.1...

remember 6.1 is supposed to be a rollup of updates... its not a new release...

CC: (none) => tmb

ben mcmonagle 2018-11-13 00:42:45 CET

Target Milestone: --- => Mageia 7


Note You need to log in before you can comment on or make changes to this bug.