Booting in recovery mode must ask for a password

Bug #21994 reported by Ricardo Pérez López on 2005-09-19
44
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sysvinit (Ubuntu)
Medium
Unassigned

Bug Description

(I choose "login" as package but I think it could be "sulogin" instead, but
"sulogin" isn't in the Package list above).

I think booting in recovery mode must ask for a password. By now, recovery mode
boots without asking for a password, and falls into a root prompt with admin
privileges without identyfing the user. I think this is a potential security
risk (even WinXP asks for a password when goes into recovery mode).

The solution could be to ask for the user password (the user created during
installation process, i.e. the "main" user), or a password of any user member of
the 'wheel' group.

What do you think?

Matt Zimmerman (mdz) wrote :

This is working as designed; note that the only way to access recovery mode is
with physical access to the system, and several other configuration changes must
be made in order to secure the console if that is desired (e.g., BIOS setup
passwords)

Sebastian (mdkuser) wrote :

I can confirm this bug. I using a encrypted /home /var /tmp and swap partition and a Floppy containing the key on it. When I boot the machine without insert the Keydisk before the crypted partitions cannot be mounted and the system drops me to a root shell withou asking for a password.
I know the sulogin shipped with Ubuntu is patched to handle disabled root account, so this is no bug in the software but should be considered as a bug in the concept. For security reasons please patch sologin to use authenthification against the password of the group admin rather than dropping a user to a root shell without authorisation. I know it's only a local issue and can only exploided locally, but if you are using Ubuntu as a Terminal for multiusers with everyone having physically access to it this is a security risk. The unpatched sulogin does ask for a root password so it must have been a reason for it. Why Ubuntu is patching the sulogin disabling the password feature rather than patching it that way sulogin asks for the user password of the first user (who is a member of group admin). Isn't that to hard to realize?

Colin Watson (cjwatson) wrote :

We chose to do this because otherwise, in the default configuration, there would be no way for a user to recover a lost password. Furthermore, you have forgotten that it's possible to boot with init=/bin/sh even if recovery mode were changed the way you described.

To protect against users with physical access, you must use a BIOS password, and possibly a bootloader password as well. We determined that sulogin's behaviour did not offer any meaningful additional security, and was a significant inconvenience in many cases. Note that Debian have taken the same change.

Jarno Suni (jarnos) wrote :

How do you boot with init=/bin/sh ? Couldn't it be prohibited by administrator? Most computer's BIOS lets you restrict which media can be used for boot. What is the point to ask password when normal user logs in Ubuntu, if you can log in as root without a password?

Colin Watson (cjwatson) wrote :

Booting with init=/bin/sh could be prevented by a bootloader password. You have in fact just given an excellent example of why a bootloader password is required if you are in an environment where this issue matters; init=/bin/sh completely bypasses any "protection" we might apply to recovery mode.

In the absence of such an environment where presumably there is local help at hand if necessary, we feel that it is far better to provide an escape hatch in case users lock themselves out of their own computers by mistake. Given physical access, as has already been noted on this bug, there are changes beyond our control that would be needed to prevent this in any case.

shclim (shclim) wrote :

I think we should answer some security questions to Recovery Mode before you are granted 'root' access.... the first user (the person who installed the operating system) could fill in the details upon installation.

e.g
Mothers Maiden Name?
Last School Attended

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.