Page 1 of 32 12311 ... LastLast
Results 1 to 10 of 315

Thread: Physical access is root access

  1. #1
    Join Date
    Mar 2007
    Beans
    13

    Physical access is root access

    hi everyone
    fresh install 704 last night. starting up from GRUB in "recovery mode" brings me to root shell without even asking for a username and password!!!!!!!

  2. #2
    Join Date
    Jan 2006
    Location
    United Kingdom
    Beans
    2,787
    Distro
    Kubuntu 6.06 Dapper

    Re: root shell without username and password!!!

    That's because by default there isn't one...

    Check the archives as this is becoming FAQ #1!

    The bottom line is that whilst this may initially sound alarming think about it - if someone has got physical access to your machine to boot into recovery mode then they've got access to everything anyway (unless your disks are encrypted). Even with a root password they can easily boot with a LiveCD, change the password files, restart and they're in.

    Mathew
    www.NewtonNet.co.uk - Now supporting IPv6!

    ~ Please don't use PM's to request assistance - post your query on the forum and share the discussion - if you've got a problem chances are you won't be the only one! ~

  3. #3
    Join Date
    Mar 2007
    Beans
    13

    Re: root shell without username and password!!!

    Quote Originally Posted by MJN View Post
    The bottom line is that whilst this may initially sound alarming think about it - if someone has got physical access to your machine to boot into recovery mode then they've got access to everything anyway (unless your disks are encrypted). Even with a root password they can easily boot with a LiveCD, change the password files, restart and they're in.

    Mathew
    you got a point. but then again, why ask password and username at normal startup then? i think this is an a serious issue.
    linux is all about security and stability. i think at install everything must be, as you have sad, encrypted. otherwise nothing much makes a sense.

  4. #4
    Join Date
    May 2005
    Beans
    327

    Re: root shell without username and password!!!

    Actually, security is a lot about prioritizes. To a lot of people the possibly to rescue a system with a LiveCD is more important then the extra locale security an encrypted drive gives you. In some environments, and especially on laptops, it might be a good idea to encrypt your harddrive. That doesn't make it so in every case.

    Still, if someone has physical access to your computer there are always risks involved. By the way, if someone plugged in a small recording device between your computer and your keyboard, are you sure you would notice?

  5. #5
    Join Date
    Feb 2007
    Location
    Fairfield, Ohio
    Beans
    126
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: root shell without username and password!!!

    Below is a link that explains how to boot to a root shell without a password. I was very surprised when I read this. How could a Network/System Admin prevent users from doing this on their Workstation?

    http://www.ubuntugeek.com/how-to-rec...er-ubuntu.html

  6. #6
    Join Date
    Sep 2007
    Beans
    75

    Re: root shell without username and password!!!

    Linux is primarily used on servers. Imagine a server running Linux in a modern colo facility. It's a high security building, you typically need swipe cards to get in, rooms are kept locked and the machine itself is in a locked cupboard.

    Physical access is a low priority compared to say, securing running services that are facing the Internet. If you install telnet and leave your system wide open, somebody can root you from a thousand miles away, but they can't get physical access.

    That's why sysadmins and Linux distros in general typically think about remote security first.

  7. #7
    Join Date
    Feb 2007
    Location
    Fairfield, Ohio
    Beans
    126
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: root shell without username and password!!!

    Quote Originally Posted by /etc/init.d/ View Post
    Linux is primarily used on servers. Imagine a server running Linux in a modern colo facility. It's a high security building, you typically need swipe cards to get in, rooms are kept locked and the machine itself is in a locked cupboard.

    Physical access is a low priority compared to say, securing running services that are facing the Internet. If you install telnet and leave your system wide open, somebody can root you from a thousand miles away, but they can't get physical access.

    That's why sysadmins and Linux distros in general typically think about remote security first.
    Isn't the whole purpose of Ubuntu to bring Linux to the Desktop? I understand what you are saying about servers, but I'm referring directly to the Desktop.

  8. #8
    Join Date
    May 2006
    Beans
    Hidden!

    Re: root shell without username and password!!!

    This is the same as on Windows. If you have physical access to a Windows PC, it is trivial getting admin access without a password. You could add a root password on there, or Ubuntu could do it by default, but it would really be the illusion of additional security more than anything.

    Just lock your doors and worry about remote threats.

  9. #9
    Join Date
    Nov 2006
    Location
    Belgium
    Beans
    3,023
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: root shell without username and password!!!

    Quote Originally Posted by Cybergod View Post
    Below is a link that explains how to boot to a root shell without a password. I was very surprised when I read this. How could a Network/System Admin prevent users from doing this on their Workstation?
    you set a password on the root account with
    Code:
    sudo -i
    passwd root
    exit
    that automatically protects the recovery mode by asking for a root password - if i remember well

    It's useless unless you also
    - password protect the grub menu, and lock the recovery menu item in it
    - set the boot order in the BIOS to alwas boot Hard disk first or hard disk only (to prevent CD boots that circumvent your password protection
    - password-protect the BIOS setup to prevent users from modyfing the boot order again.

    additional measures may include
    - lock up the PC to prevent it from being stolen or its disks from being removed (or from someone inserting an alternative hard disk to boot from), or to prevent someone from hard-resetting the bios password

  10. #10
    Join Date
    Mar 2005
    Location
    Netherlands
    Beans
    734
    Distro
    Ubuntu Karmic Koala (testing)

    Re: root shell without username and password!!!

    You can easily remove the recovery mode from the grub menu.

Page 1 of 32 12311 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •