Recovery Mode allows full root access without a password
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Ubuntu Hardy just updated to the newest kernel which broke my sound and Nvidia drivers. That's a separate issue, but it made me try to boot my computer into "Recovery Mode" as offered by the grub menu. One of the options offered here was a chance to drop to a root shell.
Much to my surprise, I was greeted with full access to all the files belonging to all users on this computer. I thought Ubuntu had locked down the root account so that it could only be accessed by people who "sudo su" and who are part of the admin group. See https:/
With the exception of this, my computer is pretty well locked down--the BIOS password is set and we can only boot to the first HDD (with grub), but now this root shell bothers me.
Rather than full root access, could we instead be greeted with a login prompt similar to that seen when dropping to a TTY by pressing ctrl-alt-f1. Then an admin user could sudo su, or could have previously setup a root password, but having this as a default seems a little risky.
If this has been fixed in newer releases, would it be possible to get a security or backport release that would edit the grub or recovery menu to disallow this by default?
Many Thanks,
Ryan
Thanks for submitting this bug in efforts to help improve Ubuntu. This is a feature not a bug. There are several reasons that this is available to you in the grub menu. If you want to add a little more security you can edit your /boot/grub/menu.lst file and comment out the recovery mode (Which I'm not recommending to you), and then set a grub password by following several tutorials available in the forums.
Thanks for your time.
Chris