Results 1 to 10 of 10

Thread: Recovery root command-line doesn't require password?

  1. #1
    Join Date
    Dec 2007
    Location
    Central CA
    Beans
    459
    Distro
    Ubuntu 12.04 Precise Pangolin

    Recovery root command-line doesn't require password?

    So I had to boot into Recovery mode today (Ubuntu 10.04 desktop 64), and selected root command-line.

    It dropped me right into a command-line with root privileges without asking me for a password.

    Is this normal, or did I somehow break the security on my install?

  2. #2
    Join Date
    Feb 2006
    Beans
    457

    Re: Recovery root command-line doesn't require password?

    Dngrsone, normal as anyone with physical access to your kit can do this. Keep your machine safe and away from prying hands and eyes.

  3. #3
    winh8r is offline Iced Almond Soy Ubuntu, No Foam
    Join Date
    Sep 2007
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Recovery root command-line doesn't require password?

    It is normal for the "drop to root shell prompt" to appear in the recovery mode menu, in order to resolve issues with booting that require root privileges.

    As tubbygweilo says, this is where the saying "physical access is root access" comes from.

    Every computer system is vulnerable when an unauthorized person has physical access to it regardless of whether or not they have a password.

  4. #4
    Join Date
    Mar 2007
    Location
    Portsmouth, UK
    Beans
    Hidden!
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Re: Recovery root command-line doesn't require password?

    Quote Originally Posted by Dngrsone View Post
    So I had to boot into Recovery mode today (Ubuntu 10.04 desktop 64), and selected root command-line.

    It dropped me right into a command-line with root privileges without asking me for a password.

    Is this normal, or did I somehow break the security on my install?


    If you need local file security, you need encryption, or a means of physically securing the machine.

    Covering it in cement and placing it in a safe, in a concealed bomb shelter, for example.

  5. #5
    Join Date
    Sep 2007
    Location
    Netherlands
    Beans
    454
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Recovery root command-line doesn't require password?

    If this behaviour is a cause for concern (as I can imagine it is) it is simple to adjust. After you boot into your normal desktop, open a terminal and type after the prompt:
    Code:
    $> sudo passwd
    You will be prompted for your own password to execute the command as root, and then for a password and asked to retype it to confirm. If succesful this will have changed the password for root. From now on when you drop to a root prompt by way of the boot menu you will be asked for the password you just entered.
    Never upgrade your working system to the newest release without thorough testing on the actual hardware you will be running it on.
    Never perform a system update in a live session
    Installed Ubuntu Touch 1.0 on my Nexus 7. And loving it!

  6. #6
    Join Date
    Dec 2007
    Location
    Central CA
    Beans
    459
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Recovery root command-line doesn't require password?

    Quote Originally Posted by Grenage View Post
    If you need local file security, you need encryption, or a means of physically securing the machine.

    Covering it in cement and placing it in a safe, in a concealed bomb shelter, for example.


    Quote Originally Posted by arubislander View Post
    If this behaviour is a cause for concern (as I can imagine it is) it is simple to adjust. After you boot into your normal desktop, open a terminal and type after the prompt:
    Code:
    $> sudo passwd
    You will be prompted for your own password to execute the command as root, and then for a password and asked to retype it to confirm. If succesful this will have changed the password for root. From now on when you drop to a root prompt by way of the boot menu you will be asked for the password you just entered.
    Thanks for that tidbit, arubislander.

    My physical security is pretty good, and I'm the only one in the house who knows Linux anyway (everyone else barely knows how to use a mouse), but having that extra little bit of security might save me from something stupid happening by accident.

  7. #7
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Recovery root command-line doesn't require password?

    Quote Originally Posted by Dngrsone View Post




    Thanks for that tidbit, arubislander.

    My physical security is pretty good, and I'm the only one in the house who knows Linux anyway (everyone else barely knows how to use a mouse), but having that extra little bit of security might save me from something stupid happening by accident.
    You can still do something stupid running as root too.

  8. #8
    Join Date
    Mar 2012
    Beans
    4

    Re: Recovery root command-line doesn't require password?

    you can remove the recovery option in the grub boot menu but there is still another point of entry even without entering recovery mode.

  9. #9
    winh8r is offline Iced Almond Soy Ubuntu, No Foam
    Join Date
    Sep 2007
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Recovery root command-line doesn't require password?

    Live CD = "root" access

  10. #10
    Join Date
    Dec 2007
    Location
    Central CA
    Beans
    459
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Recovery root command-line doesn't require password?

    Quote Originally Posted by cariboo907 View Post
    You can still do something stupid running as root too.
    Quote Originally Posted by accessgranted View Post
    you can remove the recovery option in the grub boot menu but there is still another point of entry even without entering recovery mode.
    Quote Originally Posted by winh8r View Post
    Live CD = "root" access
    All very true; been there, and done all of the above.

    I know I'd be much safer if I encrypted the drive, but I have this fear of not being able to get back in after some unspecific disaster...

    As it is, I crash Ubuntu every other month when I forget to clear out my monthly backups.

    Realistically, though. I have few secrets. The worst that could happen if my laptop were stolen is I'd have to change a couple hundred passwords online and I'll lose some pages from my book.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •