Re: [ubuntu-in] bug or what ?? logging into recovery mode without password
Hi On Feb 2, 2008 9:55 PM, Gaurav Shah <[EMAIL PROTECTED]> wrote: > > If you are concerned about physical security, you MUST setup bootloaded > password. > Similarly, its also possible to boot using boot cds and mount partitions > on your system and access data without caring about the permissions etc. > So what you say is a flaw, is in my opinion should be addresses under > physical security. i basically agree, there are many ways to hack into the machine / data. So physical protection is much required. a few years back - before warty i installed fedora, mandrake and in both cases they asked for a root password. When it was not required during the Ubuntu install i did not give it much thought except - hey one less password to keep track of. But now i think maybe that was a good idea because it gave users a chance to secure that casual entry, even by mistake, as in my case. *** So i have a choice now to go in for a boot / bios password and / or also make a root password ram -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
Re: [ubuntu-in] bug or what ?? logging into recovery mode without password
> > > we complain about the basic M$ windoze setup being insecure - this > Ubuntu configuration is not dissimilar > > so do i file a bug report, a security flaw or what - and where. > > thanks > ram > > On 1/4/08, Mehul Ved <[EMAIL PROTECTED]> wrote: > > On 1/4/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > So is this a bug, and security hole or what. Does this need to be > reported > > > > It's what is called single user mode. This is how it is. > > No one can exploit it unless they have physical access to the machine. > > If y> > > -- > > ubuntu-in mailing list > > ubuntu-in@lists.ubuntu.com > > https://lists.ubuntu.com/mailman/listinfo/ubuntu-in > > > > -- > ubuntu-in mailing list > ubuntu-in@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/ubuntu-in > ,ou want to avoid people having physical access to the machine to > > be unable to exploit this then set GRUB password. > I believe, not only ubuntu, but for any linux distro , if you dont setup a bootloader password on your machine , its very easy to get admin access and run any of the commands from the single user mode. Its a common practice by linux admins to use single user mode to recover lost root password. If you are concerned about physical security, you MUST setup bootloaded password. Similarly, its also possible to boot using boot cds and mount partitions on your system and access data without caring about the permissions etc. So what you say is a flaw, is in my opinion should be addresses under physical security. thanks gshah -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
Re: [ubuntu-in] bug or what ?? logging into recovery mode without password
Hi Am not sure what the reason for this access "without password" to the root / recovery boot option is - but its a flaw in the first place why have any password if it can be circumvented by logging on as root second no where during the (very easy) install does it give the option for a root password third - even if its a stand alone machine the reason the passwrod exists is to have some basic precaution from allowing "anyone" to access the machine. Fourth on a network (a basic one) where many machines are standalone units with independent booting etc i shudder at the implications of this flawed root access to the computer. Of course there are many hacks into a machine but this flaw is really a basic oversight and i guess needs to be addressed, we complain about the basic M$ windoze setup being insecure - this Ubuntu configuration is not dissimilar so do i file a bug report, a security flaw or what - and where. thanks ram On 1/4/08, Mehul Ved <[EMAIL PROTECTED]> wrote: > On 1/4/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > So is this a bug, and security hole or what. Does this need to be reported > > It's what is called single user mode. This is how it is. > No one can exploit it unless they have physical access to the machine. > If you want to avoid people having physical access to the machine to > be unable to exploit this then set GRUB password. > > -- > ubuntu-in mailing list > ubuntu-in@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/ubuntu-in > -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
Re: [ubuntu-in] bug or what ?? logging into recovery mode without password
On 1/4/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > So is this a bug, and security hole or what. Does this need to be reported It's what is called single user mode. This is how it is. No one can exploit it unless they have physical access to the machine. If you want to avoid people having physical access to the machine to be unable to exploit this then set GRUB password. -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
Re: [ubuntu-in] bug or what ?? logging into recovery mode without password
There is several levels of securiy 1.Physical Security 2.Operating System security 3.Network security... so this is an example of physical security. not that there is a flaw in the system -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
[ubuntu-in] bug or what ?? logging into recovery mode without password
Hi Recently i wanted to login into my Ubuntu 7.04 machine into CLI mode - not knowing how to do this from the GRUB menu i selected the recovery mode. It ran through all the start up procedures very quickly and ended up and at a root prompt - so , just to try, using startx i went ahead to see if the GUI would work - it did. Showing all the drives mounted and usable But what *shocked* me was that there was no need for a password (or user name) to login. Was always comfortable that Ubuntu Linux was safe and no one would be able to login it without a password. Its one thing to enable a boo up password but this inherent flaw has me wondering - So is this a bug, and security hole or what. Does this need to be reported How can this be fixed. regards ram -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in