no login promt at "recovery mode"-boot

Reported by Thomas C. on 2008-10-15
254
Affects Status Importance Assigned to Milestone
Ubuntu
Undecided
Unassigned

Bug Description

I have found out, that when i boot over grub in the "recovery mode" that i can drop to a root shell without enter a password?! HELLO??? Whats wrong? This cant be true!

Thomas C. (thomas-creutz) wrote :

user@nb:~$ lsb_release -rd
Description: Ubuntu intrepid (development branch)
Release: 8.10

Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Ubuntu has disabled the root (or superuser) password and uses the sudo command instead. For details on its usage and security implications, please seehttps://help.ubuntu.com/community/RootSudo for details.

Thomas C. (thomas-creutz) wrote :

Hello?! what have you not understand?

Everybody can take control of my notebook, without a authentication!? That is OK??

Jamie Strandboge (jdstrand) wrote :

The only way to protect your data if an attacker has physical access to your machine is via encryption. Eg, if they can reboot and see the grub prompt, then they can just as easily insert a live cd and have access to everything, bypassing the root password altogether. If you use a grub password, then they can remove the drive and mount it in another system.

You can use LVM disk encryption from the alternate installer CD or the newly integrated ecryptfs functionality in https://wiki.ubuntu.com/EncryptedPrivateDirectory.

Thomas C. (thomas-creutz) wrote :

Ok.. i make this hole public to the World.. we will see if get fixed or not..

Thomas C. (thomas-creutz) wrote :

When it is checked by Youtube u can see it at this address:
http://www.youtube.com/watch?v=ThYUX0_qKU8

Christoph Langner (chrissss) wrote :

Perhaps you should watch this... I'll call it "Hacking Debian"...

http://blip.tv/file/1419401

As long as you don't encrypt your files, everyone who has direct access to your hardware is able to get your data...

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers