Re: Password-protect grub interactive commands (was: rationale of root access from boot)
On Nov 12, 2007 2:15 PM, Scott James Remnant [EMAIL PROTECTED] wrote: On Sat, 2007-11-10 at 14:06 +0800, Nicolas Deschildre wrote: [...] For the simplest installations, GRUB could perhaps read /etc/shadow and accept any user's password -- but that would be error-prone, open to exploit, and wouldn't support the kinds of installations you talk about later in this thread: corporate environments which often use centralised authentication. You're right, I overlooked that. And adding Jan Claeys' good remark on the keyboard layout, I'm now convinced that password protecting grub is not good by default. Thanks for your comments. This is EOT for me. Nicolas -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
OK, just forget the GRUB password idea, I've understood how it can become a complete mess. Sorry for the idea... But what about that? unggnu wrote: snip I like the way Ubuntu handles root that always sudo is needed so why we don't make it with Recovery mode too? Just don't autologin root like root has a password. Why not let the user login in with his user and then use sudo to gain root access or set the user password for root and disable the account? With this no grub password/lock is needed but there is still basic security. If you are afraid if people forget their password why not make a little program on Live CD which can make that for you? Everyone can boot a CD and reset their password but only if they have bios/boot access like every private person. I really second this idea, doing that and locking GRUB for any modification of kernel parameters except recovery mode would be a real security improvement. We should not let Windows XP overdo Linux here. And anyway, there is the LiveCD if really needed. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
Nicolas Deschildre wrote the following on 11.11.2007 07:22 On 11/10/07, Thilo Six [EMAIL PROTECTED] wrote: Nicolas Deschildre wrote the following on 10.11.2007 07:06 -snip- Thanks for the pointer. But then, why not use this password feature by default to avoid anyone to edit boot parameter and become root? because it´s as easy as to plugin a LiveCD and overcome that. announce Ubuntu 8.04 == Hardware Requiments: * 256MB RAM * 2gig Harddisc space * a password protected BIOS * Manuel setup in boot sequenz, where CD comes last -snip- Well i am interessed how this would work out - could be a nice social experiment, don´t you think? Since Chris Warburton made it allready very clear i do not spend more time on this. EOT Thanks -- Thilo key: 0x4A411E09 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
Op zaterdag 10-11-2007 om 14:06 uur [tijdzone +0800], schreef Nicolas Deschildre: But then, why not use this password feature by default to avoid anyone to edit boot parameter and become root? In addition to what was mentioned already: GRUB only knows about plain us keyboards, while many/most users probably have localised keyboard layouts, causing problems to enter password correctly. Even worse, some characters that they have on their keyboard, and thus could be used in a password, are simply unavailable for entering while in GRUB... -- Jan Claeys -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
Nicolas Deschildre wrote the following on 10.11.2007 07:06 -snip- Thanks for the pointer. But then, why not use this password feature by default to avoid anyone to edit boot parameter and become root? because it´s as easy as to plugin a LiveCD and overcome that. -- Thilo key: 0x4A411E09 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
The issue for now is clear: you can't let your, say, laptop to anybody for an hour or even less without risking ha may easily get root access and maybe change your password or modify your system. It can simply be used to read confidential files, like personal mail, not like military secret but just private. Ubuntu is almost inviting you to do this by simply rebooting and choosing Recovery, without any restriction (you need to know ho to use the very basics of console). OTOH, inserting a LiveCD is almost as simple, and we can't prevent it. Still, it's more complex to do. 1) The person must have the CD here by hand, it may take time to get it 2) He must browse the system disks to find the data ha wants, use a chroot to change passwords (much more complex, only quite advanced users can do that) 3) This is a slightly different pace, since the attacker must use an external software/disc to do that, as opposed to the included Recovery mode. Using a CD is clearly choosing to attack the computer. Anyway, you have to secure your BIOS if you want a reasonably secured computer. But locking GRUB would help the user to go this way if he wants to. Now what are the drawbacks of asking for a password in GRUB? The only I can see is if you've lost your root/admin user password, or you have to work on a system in which you don't have any password though you have the authorization/request to administrate it. In this case, I think requiring the admin to use a LiveCD in not abusive. All in all, I'd rather suggest to activate password-locked GRUB, but I understand this question is hard to decide. Does anybody see other agruments on both sides? Cheers. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
Milan wrote the following on 10.11.2007 16:56 -snip- All in all, I'd rather suggest to activate password-locked GRUB, but I understand this question is hard to decide. Does anybody see other agruments on both sides? against: helping users on mailing lists or irc, with boot problems. Cheers. bye -- Thilo key: 0x4A411E09 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
On Sat, 2007-11-10 at 17:41 +0100, Thilo Six wrote: Milan wrote the following on 10.11.2007 16:56 -snip- All in all, I'd rather suggest to activate password-locked GRUB, but I understand this question is hard to decide. Does anybody see other agruments on both sides? against: helping users on mailing lists or irc, with boot problems. Exactly. In my opinion password protecting GRUB by default will cause headaches for a number of people, but it won't really make the system any more secure since physical access is gained by that point (thus allowing live media, removing the hard drive, etc.). The only extra security measure I think is worth debating is full disk encryption. Such a thing would obviously be a nightmare for tech support, but since there are real security benefits I think it is worth considering and at least looking into. To me there is very little to be gained by password protecting GRUB though, so I'm against. Thanks, Chris -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
On 11/11/07, Chris Warburton [EMAIL PROTECTED] wrote: On Sat, 2007-11-10 at 17:41 +0100, Thilo Six wrote: Milan wrote the following on 10.11.2007 16:56 -snip- All in all, I'd rather suggest to activate password-locked GRUB, but I understand this question is hard to decide. Does anybody see other agruments on both sides? against: helping users on mailing lists or irc, with boot problems. Exactly. In my opinion password protecting GRUB by default will cause headaches for a number of people, True enough. If password protected GRUB was to be enabled, the necessary actions/patches should be done so that the users passwords can be used to unlock GRUB. (Currently only one password can be used in GRUB). but it won't really make the system any more secure since physical access is gained by that point (thus allowing live media, removing the hard drive, etc.). Gaining physical access doesn't always mean it's done. I mean, just one use case I have in mind : at an office with BIOS protected computers, lots of people passing by, I'd rather bet on a five minute snoop than to bring my screwdriver and start to dismantle my boss computer... The point is, don't make it too easy. The only extra security measure I think is worth debating is full disk encryption. Such a thing would obviously be a nightmare for tech support, but since there are real security benefits I think it is worth considering and at least looking into. To me there is very little to be gained by password protecting GRUB though, so I'm against. Thanks, Chris -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands (was: rationale of root access from boot)
On 11/10/07, Thilo Six [EMAIL PROTECTED] wrote: Nicolas Deschildre wrote the following on 10.11.2007 07:06 -snip- Thanks for the pointer. But then, why not use this password feature by default to avoid anyone to edit boot parameter and become root? because it´s as easy as to plugin a LiveCD and overcome that. What about password protected BIOS and CD drive as last boot option? - You open up the case, take the hardrive Ok you have a house, you know that thieves can bypass advanced alarm systems by using cutting-edge technology tools, so why bother, you just let the door unlocked? Come on! Of course if you are really willing to get this data, if you put in the ressources, you will eventually have the data. The point is, *don't make it too easy*. -- Thilo key: 0x4A411E09 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Password-protect grub interactive commands
The only extra security measure I think is worth debating is full disk encryption. I assume that by full disk, you mean the areas that may have personal data. Several places discuss this concept and I understand that there is already an option in the Alternate CD to encrypt /home/. Have a look at: https://help.ubuntu.com/community/EncryptedFilesystemHowto https://wiki.ubuntu.com/EncryptedFilesystems ( https://blueprints.launchpad.net/ubuntu/+spec/encrypted-filesystems ) https://blueprints.launchpad.net/ubuntu/+spec/privacy-tools and, to a lesser degree: https://blueprints.launchpad.net/ubuntu/+spec/easy-encryption https://wiki.ubuntu.com/EncryptedStorage https://wiki.ubuntu.com/EncFSIntegration and, if you are really bored: https://blueprints.launchpad.net/ubuntu/+spec/password-protected-folders https://blueprints.launchpad.net/ubuntu/+spec/encryption-by-default https://blueprints.launchpad.net/ubuntu/+spec/transparent-home-encryption Hope this helps, Aaron -- FSF Associate Member: 5632 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss