Crashing gdm3 intentionally returns to the greeter and allows setting a new admin pass
Originally created by @cypherpunks on #11071 (Redmine)
When gdm3 crashes, it brings you back to the greeter, which lets you set a password for the amnesia user (which is in wheel). This can be used to get root even after you started up Tails with the expectation that not setting a password means you will need to reboot to get root access again. Triggering a crash in gdm3 is easy and can be done in several ways, including simply messing with it until it crashes (yes, banging on keys and moving things around fast has crashed it in the past), fuzzing it (believe it or not, trinity has done this to me before), or most trivially, throwing it into the path of the oom killer.
The problem I see is that getting root on Tails is as simple as causing a single process to crash. It’s generally assumed that there are no solid permission boundries on *nix for killing a process. That’s not a good combination.
This isn’t just some theoretical issue I came up with just now. In the past, I use to intentionally crash gdm3 in order to set an admin password if I started up and forgot to set one.
Related issues
- Related to #11587