no login promt at "recovery mode"-boot

Bug #283662 reported by Thomas
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu
Invalid
Undecided
Unassigned

Bug Description

I have found out, that when i boot over grub in the "recovery mode" that i can drop to a root shell without enter a password?! HELLO??? Whats wrong? This cant be true!

Revision history for this message
Thomas (t.c) wrote :

user@nb:~$ lsb_release -rd
Description: Ubuntu intrepid (development branch)
Release: 8.10

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Ubuntu has disabled the root (or superuser) password and uses the sudo command instead. For details on its usage and security implications, please seehttps://help.ubuntu.com/community/RootSudo for details.

Revision history for this message
Thomas (t.c) wrote :

Hello?! what have you not understand?

Everybody can take control of my notebook, without a authentication!? That is OK??

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The only way to protect your data if an attacker has physical access to your machine is via encryption. Eg, if they can reboot and see the grub prompt, then they can just as easily insert a live cd and have access to everything, bypassing the root password altogether. If you use a grub password, then they can remove the drive and mount it in another system.

You can use LVM disk encryption from the alternate installer CD or the newly integrated ecryptfs functionality in https://wiki.ubuntu.com/EncryptedPrivateDirectory.

Revision history for this message
Thomas (t.c) wrote :

Ok.. i make this hole public to the World.. we will see if get fixed or not..

Revision history for this message
Thomas (t.c) wrote :

When it is checked by Youtube u can see it at this address:
http://www.youtube.com/watch?v=ThYUX0_qKU8

Revision history for this message
Christoph Langner (chrissss) wrote :

Perhaps you should watch this... I'll call it "Hacking Debian"...

http://blip.tv/file/1419401

As long as you don't encrypt your files, everyone who has direct access to your hardware is able to get your data...

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.