Re: Password-protect grub interactive commands
OK, just forget the GRUB password idea, I've understood how it can become a complete mess. Sorry for the idea... But what about that? unggnu wrote: > > > I like the way Ubuntu handles root that always sudo is needed so why we > don't make it with Recovery mode too? Just don't autologin root like > root has a password. Why not let the user login in with his user and > then use sudo to gain root access or set the user password for root and > disable the account? With this no grub password/lock is needed but there > is still basic security. > If you are afraid if people forget their password why not make a little > program on Live CD which can make that for you? Everyone can boot a CD > and reset their password but only if they have bios/boot access like > every private person. > I really second this idea, doing that and locking GRUB for any modification of kernel parameters except recovery mode would be a real security improvement. We should not let Windows XP overdo Linux here. And anyway, there is the LiveCD if really needed. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
Nicolas Deschildre wrote the following on 12.11.2007 11:04 <<-snip->> > This is EOT for me. > > Nicolas Nicolas if i sound rude in my last mail i apologize for that. bye -- Thilo key: 0x4A411E09 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
Chris Warburton wrote: > On Sat, 2007-11-10 at 17:41 +0100, Thilo Six wrote: >> Milan wrote the following on 10.11.2007 16:56 >> >> <<-snip->> >> >>> All in all, I'd rather suggest to activate password-locked GRUB, but I >>> understand this question is hard to decide. Does anybody see other >>> agruments on both sides? >> against: >> helping users on mailing lists or irc, with boot problems. >> > Exactly. In my opinion password protecting GRUB by default will cause > headaches for a number of people, but it won't really make the system > any more secure since physical access is gained by that point (thus > allowing live media, removing the hard drive, etc.). > > The only extra security measure I think is worth debating is full disk > encryption. Such a thing would obviously be a nightmare for tech > support, but since there are real security benefits I think it is worth > considering and at least looking into. To me there is very little to be > gained by password protecting GRUB though, so I'm against. > > Thanks, > Chris > > I understand both opinions since there is a need for security and for usability but I think there is another option than a grub password. Ubuntu handles it similar to Windows XP Home which doesn't ask for a administrator password during installation (XP Pro asks) so it was always possible to use F8 to boot to recovery mode and login without a password and to reset the user password. So it is not possible without some knowledge to gain basic security. Imagine Ubuntu is installed on PCs in sales area of a big store. A customer can just reboot the PC, choose recovery and that's it. He can make everything. Even if home is encrypted he is still able to install a kernel module or a back door program which logs the password. OK, a administrator should know how to protect Ubuntu but basic security is important I think. The standard configuration of the PCs in stores I know is Windows 2000/XP Pro., only boot on hard disk and Bios password. This would protect a standard Windows Pro installation but not an Ubuntu one. Of course you could remove the battery but you need a screwdriver and many professional PCs have a lock and/or intrusion detection (make noises after next boot). I like the way Ubuntu handles root that always sudo is needed so why we don't make it with Recovery mode too? Just don't autologin root like root has a password. Why not let the user login in with his user and then use sudo to gain root access or set the user password for root and disable the account? With this no grub password/lock is needed but there is still basic security. If you are afraid if people forget their password why not make a little program on Live CD which can make that for you? Everyone can boot a CD and reset their password but only if they have bios/boot access like every private person. Btw. atm it is much more harder to repair grub (e.g. after Windows reinstallation) then to reset a password. Administrator should know how to secure a system but we should make it as easy as possible to prevent mistakes I think. Thanks, Unggnu -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
On Nov 12, 2007 2:15 PM, Scott James Remnant <[EMAIL PROTECTED]> wrote: > On Sat, 2007-11-10 at 14:06 +0800, Nicolas Deschildre wrote: [...] > > For the simplest installations, GRUB could perhaps read /etc/shadow and > accept any user's password -- but that would be error-prone, open to > exploit, and wouldn't support the kinds of installations you talk about > later in this thread: corporate environments which often use centralised > authentication. You're right, I overlooked that. And adding Jan Claeys' good remark on the keyboard layout, I'm now convinced that password protecting grub is not good by default. Thanks for your comments. This is EOT for me. Nicolas -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
On Sat, 2007-11-10 at 14:06 +0800, Nicolas Deschildre wrote: > But then, why not use this password feature by default to avoid anyone > to edit boot parameter and become root? > Because it adds a level of complexity without a significant gain. The additional complexity is that users would have to decide on two passwords during the installation procedure, and remember them both -- which is a large part of the reason we leave the root account locked and use sudo instead. For the simplest installations, GRUB could perhaps read /etc/shadow and accept any user's password -- but that would be error-prone, open to exploit, and wouldn't support the kinds of installations you talk about later in this thread: corporate environments which often use centralised authentication. The reason for no significant gain is that anybody with physical access can simply pop a Live CD into the drive and get at your disk that way. Or open the case and take the drive with them. Our favoured solution to the "data security" problem is to encrypt your filesystem; the passphrase is needed on boot (just as with GRUB) except now any amount of fiddling with boot options cannot bypass it since the data is scrambled without it. Likewise, neither a Live CD or inserting the stolen drive into another machine can get at your data either -- since it's still encrypted and still requires the passphrase to access. The alternate CD provides an option for this today; so if this is important to you, I suggest you use that. Once we're happy with the implementation, and the general feedback of it, it may eventually end up becoming an option in the graphical installer as well. Scott -- Scott James Remnant [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
Op zaterdag 10-11-2007 om 14:06 uur [tijdzone +0800], schreef Nicolas Deschildre: > But then, why not use this password feature by default to avoid anyone > to edit boot parameter and become root? In addition to what was mentioned already: GRUB only knows about plain us keyboards, while many/most users probably have localised keyboard layouts, causing problems to enter password correctly. Even worse, some characters that they have on their keyboard, and thus could be used in a password, are simply unavailable for entering while in GRUB... -- Jan Claeys -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
Nicolas Deschildre wrote the following on 11.11.2007 07:22 > On 11/10/07, Thilo Six <[EMAIL PROTECTED]> wrote: >> Nicolas Deschildre wrote the following on 10.11.2007 07:06 >> >> <<-snip->> >> >>> Thanks for the pointer. >>> But then, why not use this password feature by default to avoid anyone >>> to edit boot parameter and become root? >> because it´s as easy as to plugin a LiveCD and overcome that. announce Ubuntu 8.04 == Hardware Requiments: * 256MB RAM * 2gig Harddisc space * a password protected BIOS * Manuel setup in boot sequenz, where CD comes last <<-snip->> Well i am interessed how this would work out - could be a nice social experiment, don´t you think? Since Chris Warburton made it allready very clear i do not spend more time on this. EOT Thanks -- Thilo key: 0x4A411E09 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
> The only extra security measure I think is worth debating is full disk > encryption. I assume that by "full disk", you mean the areas that may have personal data. Several places discuss this concept and I understand that there is already an option in the Alternate CD to encrypt /home/. Have a look at: https://help.ubuntu.com/community/EncryptedFilesystemHowto https://wiki.ubuntu.com/EncryptedFilesystems ( https://blueprints.launchpad.net/ubuntu/+spec/encrypted-filesystems ) https://blueprints.launchpad.net/ubuntu/+spec/privacy-tools and, to a lesser degree: https://blueprints.launchpad.net/ubuntu/+spec/easy-encryption https://wiki.ubuntu.com/EncryptedStorage https://wiki.ubuntu.com/EncFSIntegration and, if you are really bored: https://blueprints.launchpad.net/ubuntu/+spec/password-protected-folders https://blueprints.launchpad.net/ubuntu/+spec/encryption-by-default https://blueprints.launchpad.net/ubuntu/+spec/transparent-home-encryption Hope this helps, Aaron -- FSF Associate Member: 5632 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
On 11/10/07, Thilo Six <[EMAIL PROTECTED]> wrote: > Nicolas Deschildre wrote the following on 10.11.2007 07:06 > > <<-snip->> > > > Thanks for the pointer. > > But then, why not use this password feature by default to avoid anyone > > to edit boot parameter and become root? > > because it´s as easy as to plugin a LiveCD and overcome that. What about password protected BIOS and CD drive as last boot option? - You open up the case, take the hardrive Ok you have a house, you know that thieves can bypass advanced alarm systems by using cutting-edge technology tools, so why bother, you just let the door unlocked? Come on! Of course if you are really willing to get this data, if you put in the ressources, you will eventually have the data. The point is, *don't make it too easy*. > > > -- > Thilo > > key: 0x4A411E09 > > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
On 11/11/07, Chris Warburton <[EMAIL PROTECTED]> wrote: > > On Sat, 2007-11-10 at 17:41 +0100, Thilo Six wrote: > > Milan wrote the following on 10.11.2007 16:56 > > > > <<-snip->> > > > > > All in all, I'd rather suggest to activate password-locked GRUB, but I > > > understand this question is hard to decide. Does anybody see other > > > agruments on both sides? > > > > against: > > helping users on mailing lists or irc, with boot problems. > > > Exactly. In my opinion password protecting GRUB by default will cause > headaches for a number of people, True enough. If password protected GRUB was to be enabled, the necessary actions/patches should be done so that the users passwords can be used to unlock GRUB. (Currently only one password can be used in GRUB). > but it won't really make the system > any more secure since physical access is gained by that point (thus > allowing live media, removing the hard drive, etc.). Gaining physical access doesn't always mean it's done. I mean, just one use case I have in mind : at an office with BIOS protected computers, lots of people passing by, I'd rather bet on a five minute snoop than to bring my screwdriver and start to dismantle my boss computer... The point is, don't make it too easy. > The only extra security measure I think is worth debating is full disk > encryption. Such a thing would obviously be a nightmare for tech > support, but since there are real security benefits I think it is worth > considering and at least looking into. To me there is very little to be > gained by password protecting GRUB though, so I'm against. > > Thanks, > Chris > > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
On Sat, 2007-11-10 at 17:41 +0100, Thilo Six wrote: > Milan wrote the following on 10.11.2007 16:56 > > <<-snip->> > > > All in all, I'd rather suggest to activate password-locked GRUB, but I > > understand this question is hard to decide. Does anybody see other > > agruments on both sides? > > against: > helping users on mailing lists or irc, with boot problems. > Exactly. In my opinion password protecting GRUB by default will cause headaches for a number of people, but it won't really make the system any more secure since physical access is gained by that point (thus allowing live media, removing the hard drive, etc.). The only extra security measure I think is worth debating is full disk encryption. Such a thing would obviously be a nightmare for tech support, but since there are real security benefits I think it is worth considering and at least looking into. To me there is very little to be gained by password protecting GRUB though, so I'm against. Thanks, Chris -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
Milan wrote the following on 10.11.2007 16:56 <<-snip->> > All in all, I'd rather suggest to activate password-locked GRUB, but I > understand this question is hard to decide. Does anybody see other > agruments on both sides? against: helping users on mailing lists or irc, with boot problems. > Cheers. bye -- Thilo key: 0x4A411E09 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
The issue for now is clear: you can't let your, say, laptop to anybody for an hour or even less without risking ha may easily get root access and maybe change your password or modify your system. It can simply be used to read "confidential" files, like personal mail, not like military secret but just private. Ubuntu is almost inviting you to do this by simply rebooting and choosing "Recovery", without any restriction (you need to know ho to use the very basics of console). OTOH, inserting a LiveCD is almost as simple, and we can't prevent it. Still, it's more complex to do. 1) The person must have the CD here by hand, it may take time to get it 2) He must browse the system disks to find the data ha wants, use a chroot to change passwords (much more complex, only quite advanced users can do that) 3) This is a slightly different pace, since the "attacker" must use an external software/disc to do that, as opposed to the "included" Recovery mode. Using a CD is clearly choosing to attack the computer. Anyway, you have to secure your BIOS if you want a reasonably secured computer. But locking GRUB would help the user to go this way if he wants to. Now what are the drawbacks of asking for a password in GRUB? The only I can see is if you've lost your root/admin user password, or you have to work on a system in which you don't have any password though you have the authorization/request to administrate it. In this case, I think requiring the admin to use a LiveCD in not abusive. All in all, I'd rather suggest to activate password-locked GRUB, but I understand this question is hard to decide. Does anybody see other agruments on both sides? Cheers. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
Nicolas Deschildre wrote the following on 10.11.2007 07:06 <<-snip->> > Thanks for the pointer. > But then, why not use this password feature by default to avoid anyone > to edit boot parameter and become root? because it´s as easy as to plugin a LiveCD and overcome that. -- Thilo key: 0x4A411E09 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Password-protect grub interactive commands (was: rationale of root access from boot)
On Nov 4, 2007 6:35 PM, Oystein Viggen <[EMAIL PROTECTED]> wrote: > * ["Nicolas Deschildre"] > > > My point was not about the parameter itself. My point was about the > > ability to edit the kernel parameters while booting. > > IIRC lilo won't allow you that. > > http://www.gnu.org/software/grub/manual/html_node/Security.html Thanks for the pointer. But then, why not use this password feature by default to avoid anyone to edit boot parameter and become root? > > Lilo has a similar password feature, but no distribution I've used had > lilo passwords enabled by default. For rationale, it's just obnoxious > when you finally need to boot to single user, and you get asked for a > password that you haven't used since you installed the box. > > Øystein > -- > This message was generated by a flock of happy penguins. > > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss