Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Should I disable recovery mode?

  1. #1
    Join Date
    Apr 2012
    Location
    Somewhere in Nevada...
    Beans
    142
    Distro
    Ubuntu 12.04 Precise Pangolin

    Should I disable recovery mode?

    I recently saw this article on how to reset Ubuntu passwords:

    http://www.liberiangeek.net/2012/09/...recovery-mode/

    While I can see how useful it would be to be able to reset a lost password, isn't this a bit of a major security hole? I mean, if someone were to steal my computer, even though I have my /home encrypted, wouldn't they just be able to boot into recovery mode and reset my password to gain access to all my files? Surely I'm misunderstanding something, because so far, Ubuntu and Linux/GNU systems in general seem so secure, and it seems rather odd for something like this to be possible...

    That being said, if I did read that right, and this is possible, would it be advisable to just disable recovery mode? My /home is on a separate partition from my system, so worst case scenario, if I managed to blow up my system, I could just do a fresh install rather than try to fix it via recovery mode.

    This article mentioned just a few pros and cons about recovery mode, but does anyone else have any thoughts? (Also, for anyone interested, it also says how to disable it.)
    http://www.liberiangeek.net/2012/09/...cise-pangolin/
    The main difference between Windows forums and the Ubuntu forums is that the Ubuntu forums has hundreds of questions and thousands of answers, but Windows forums just have hundreds of questions.
    As for the OS X forums, I wouldn't know, I'm too poor.

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Should I disable recovery mode?

    Not a security risk. Physical access == root access.

    You can password protect GRUB and you can password protect your BIOS.

    Unless you want to be stuck if/when an update completely borks your system, you should keep recovery mode enabled.

    Even if someone was able to get access to your hard drive, with an encrypted home folder, wouldn't that data be unreadable?

    http://ubuntuforums.org/showthread.php?t=2036124
    http://ubuntuforums.org/showthread.php?t=1933746
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Feb 2011
    Location
    Maryland
    Beans
    2,251

    Re: Should I disable recovery mode?

    Yes, it is a security problem but it is a convenient way to help someone that forgot their password, recover their system. It is placed there for use with friendly intentions.

    Although I personally do not use an ecrypted home nor have I ever used the recovery boot, I would imagine that changing the passcode in recovery boot would render your encrypted home inaccessible. I would imagine the recovery mode would simply update the /etc/passwd and /etc/shadow file, but not the key required to access the encrypted file system.

    I could be and am probably wrong, but who knows, maybe my common sense is going strong tonight.

    Feel free to disable it, It's really just all about personal preference. It is your computer and you can do as you wish.

  4. #4
    Join Date
    Apr 2012
    Location
    Somewhere in Nevada...
    Beans
    142
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Should I disable recovery mode?

    Quote Originally Posted by CharlesA View Post
    Even if someone was able to get access to your hard drive, with an encrypted home folder, wouldn't that data be unreadable?
    That's the idea, but since my /home is decrypted when I logon, then if someone were to reset my password with recovery mode, they could then log on and have access to my data, right? That's the main thing I'm worried about.

    Quote Originally Posted by collisionystm View Post
    I would imagine that changing the passcode in recovery boot would render your encrypted home inaccessible. I would imagine the recovery mode would simply update the /etc/passwd and /etc/shadow file, but not the key required to access the encrypted file system.
    Oh, that would be very good, I certainly hope so, but I'll have to test that later. I'll report back when I find out.

    Quote Originally Posted by CharlesA View Post
    Unless you want to be stuck if/when an update completely borks your system, you should keep recovery mode enabled.
    Well, I was prepared to accept that risk, but I think I'll wait and see try collisionystm's theory before I go mess things up. I'll test that sometime tomorrow, hopefully!
    The main difference between Windows forums and the Ubuntu forums is that the Ubuntu forums has hundreds of questions and thousands of answers, but Windows forums just have hundreds of questions.
    As for the OS X forums, I wouldn't know, I'm too poor.

  5. #5
    Join Date
    Feb 2011
    Location
    Maryland
    Beans
    2,251

    Re: Should I disable recovery mode?

    Good luck!

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Should I disable recovery mode?

    Quote Originally Posted by TheGuyWithTheFace View Post
    Well, I was prepared to accept that risk, but I think I'll wait and see try collisionystm's theory before I go mess things up. I'll test that sometime tomorrow, hopefully!
    I think that is how it works (passphrase is tied to your user account via the keyring), but I am not 100% sure as I haven't bothered to encrypt my home directory.

    In theory if the login password and keyring password don't match, it won't give you access to the encryption passphrase.

    Good luck with your testing!
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    Feb 2006
    Beans
    457

    Re: Should I disable recovery mode?

    TheGuyWithTheFace, I trust that you have good, tried & tested backups of all that you could loose if things do not quite unfold as expected?

  8. #8
    Join Date
    Feb 2011
    Location
    Maryland
    Beans
    2,251

    Re: Should I disable recovery mode?

    Quote Originally Posted by tubbygweilo View Post
    TheGuyWithTheFace, I trust that you have good, tried & tested backups of all that you could loose if things do not quite unfold as expected?

    Backups are for men with no sense of adventure!

  9. #9
    Join Date
    Apr 2012
    Location
    Somewhere in Nevada...
    Beans
    142
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Should I disable recovery mode?

    Quote Originally Posted by tubbygweilo View Post
    TheGuyWithTheFace, I trust that you have good, tried & tested backups of all that you could loose if things do not quite unfold as expected?
    Yes, thanks for your concern.

    Quote Originally Posted by collisionystm View Post
    Backups are for men with no sense of adventure!
    Data you don't have three copies of is data you don't want!

    That being said... Does anyone know of a way that I could run the dialogue one gets at first boot about recording your encryption passphrase? I remember running it, and then I lost it/didn't write it down, but that may come in handy in case I can't access my data. I haven't tried anything yet with recovery mode, but I guess knowing my encryption passphrase would be a good thing just in case.
    Last edited by TheGuyWithTheFace; February 6th, 2013 at 11:06 PM. Reason: Forgot to mention something.
    The main difference between Windows forums and the Ubuntu forums is that the Ubuntu forums has hundreds of questions and thousands of answers, but Windows forums just have hundreds of questions.
    As for the OS X forums, I wouldn't know, I'm too poor.

  10. #10
    Join Date
    Apr 2008
    Location
    LOCATION=/dev/random
    Beans
    5,767
    Distro
    Ubuntu Development Release

    Re: Should I disable recovery mode?

    Quote Originally Posted by TheGuyWithTheFace View Post
    Does anyone know of a way that I could run the dialogue one gets at first boot about recording your encryption passphrase? I remember running it, and then I lost it/didn't write it down, but that may come in handy in case I can't access my data.
    Just run the following command once you are logged in...
    Code:
    ecryptfs-unwrap-passphrase
    Cheesemill

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •