Ubuntu QA:
BlogBrainstormPackage status
Log in
Ubuntu QA
The Ubuntu community has contributed 22700 ideas, 138270 comments, 2629576 votes
Idea sandbox Idea sandbox
Popular ideas Popular ideas
Ideas in development Ideas in development
Implemented ideas Implemented ideas
Idea #23182: GRUB menu is insecure by default as is dropping to root shell.

bug This idea is a duplicate of Idea #23163: Improve security of recovery mode.
Written by Prosthetic Head the 31 Dec 09 at 01:43. Category: Security. Related project: Nothing/Others. Status: New
Rationale
By default GRUB / GRUB2 will allow anyone who walks up to the computer to select 'Recovery Mode' and gain root privileges. This is clearly insecure. There are also some circumstance in which a failed boot (eg fsck error) drops to a root shell. This is also highly insecure behaviour and should not be the default.

The 'recovery mode' boot option vulnerability is already widely known and reported all over the web. I understand that some users may forget their password but the rest of us should not have our security compromised for their convenience.

6
votes
closed
Solution #1: Password protect GRUB menu by default and require login for root shell.
Written by Prosthetic Head the 31 Dec 09 at 01:43.
GRUB / GRUB2 should be password protected by the installer by default, either using the primary users details or requesting another set of login details for GRUB. I understand that GRUB and GRUB2 have this support already and integration with the installer is all that would be required.

Instead of dropping to a root shell directly on boot failure the primary users password should be required. I have no idea whether this would be easy to implement or not.

Giving root access to anyone local to the machine as freely as Ubuntu currently does is a very bad idea and needs attention.
7
votes
closed
Solution #2: Recommend a boot password to users during install slideshow.
Written by Darwin Survivor the 1 Jan 10 at 13:39.
As tommynz1975 mentioned, a boot password is a much more secure method and will also prevent people from using other boot devices. Of course boot passwords can be reset, but not nearly as easily as using a boot disk (requires physically OPENING the machine).

Propose your solution

Attachments
No attachments.


Duplicates


Comments
tommynz1975 wrote on the 31 Dec 09 at 06:03
Not to bag microsoft too much, but if your idea could be implimented then they would have made it extreamly difficult for us to install the OS of choice. We can get into most systems with a live cd of knoppix of ubuntu or maybe other OSs too.

I would suggest for your personal system to have a boot password on your bios, so the person would need to wipe the cmos if they did not know the boot password.. Please remember, Locks keep honest people out.

Darwin Survivor (Brainstorm moderator) wrote on the 1 Jan 10 at 13:39
@tommynz1975 I added your idea as a solution for you.

jhansonxi wrote on the 4 Jan 10 at 18:32
A bug should be filed with Knoppix (and every other LiveCD) as anyone can boot it and then mount the drives and access the files regardless of a Grub password.

In other words - worrying about the Grub password is idiotic if you're not using full drive encryption. With encryption it doesn't matter if the password is set or not.

Darwin Survivor (Brainstorm moderator) wrote on the 6 Jan 10 at 08:48
How exactly is that a "bug"? A lot of those bootable distros are specifically *designed* around that feature.


Post your comment