How do I lock down the recovery shell...

[deepspring]

The big picture is that no matter what password you set on your BIOS / grub / or root, if I have physical access I can have full access to your system quite fast and I would not want you to fool yourself into feeling that somehow you have fixed the complications that physical access imply.

Not everyone in this world knows how to use a live disc to access a linux install and by pass authentication procedures. In fact there are very very few people who do. My setting a root password is my attempt at stopping the average joe/jill (the kind that doesn't carry a BackTrack CD) with only very basic knowledge from accessing a gaping security hole.

Most exploits target the root account, and so keeping it locked makes a lot of sense.

Locking the root account is what I've done, and its all I wanted to do.

IMO you should look at things like encryption.

When the next version of Ubuntu is officially released next month, I will look at using the Alternate CD method to install partition encryption. I prefer to fresh installs rather than upgrades (things break less).

I prefer to use truecrypt for the moment, as I can easily backup the encrypted volumes to an external disk or dvd drive in their encrypted form and open them later.

[bodhi.zazen]

he he he, just wondering (I am playing devils advocate, not really giving you a hard time, just trying to teach you a few "simple" tricks that IMO can really pay off for you.)

so you think the average joe/jill knows how to boot to recovery mode and enter Linux commands at the command prompt but not boot a live cd ?

The average jill/joe will be clueless at the command prompt.

IMHO, I think it is safe to assume anyone who can crack your system by booting to the recovery mode probably knows how to boot a linux live cd.

If you do not like the recovery mode, just remove the stanzas from /boot/grub/menu.lst

As you do so, note the syntax of the stanzas and you can manually boot to recovery mode if you wish (or use a live CD).

Truecrypt is a great tool.

[deepspring]

If you do not like the recovery mode, just remove the stanzas from /boot/grub/menu.lst

As you do so, note the syntax of the stanzas and you can manually boot to recovery mode if you wish (or use a live CD).

LOL!

Then I'd be stuck.

[bodhi.zazen]

Naw, we can show you how

look at the kernel line

boot normally, hit esc to get teh grub screen, hit e to edit the kernel line, add in a few things at the end of the line (look at /boot/grub/menu.lst I will spoon feed you only so much )

then boot.

[hyper_ch]

Installing a fully encrypted system is not difficult. Have a look at my little guide: http://www.howtoforge.com/encrypting...ion-ubuntu8.04

Beginning from 9.04 you can even encrypt swap with a random key (which is still bugged in 8.04 and 8.10).