we should set a grub password by default

Wed May 16 05:07:27 UTC 2007

On 5/15/07, Matthew Paul Thomas <mpt at canonical.com> wrote:
> On May 16, 2007, at 10:33 AM, Phillip Susi wrote:
> >
> > Sven wrote:
> >>
> >> Modifying hardware is very different quality of impact than just
> >> pressing 2 keys to gain root access.
> >
> > It isn't any harder to insert a bootable cd.
>
> So a bootable CD here is analogous to a skeleton key, but people still
> use locks.

The cost of procuring a bootable CD is FAR below that of a skeleton
key. The analogy is tenuous at best. Skeleton keys are very rare
objects, heavily regulated, which have to be matched up by make,
model, and often serial number of the lock etc. The use of such is
pretty clear (door was unlocked and not picked => stolen key or
skeleton key). Clearly, none of these things apply to a LiveCD.

>
> I wonder if any of the people who make this sort of argument ever lock
> their screen, either manually or through their screensaver config.
> After all, what's the point of locking your screen when almost anyone
> who can see it has physical access to the computer anyway? ;-)

Yes, I always lock my laptop when I step away from it. I'm more
interested in creating a moderate barrier to entry than I am in
keeping them from completely controlling it. You can tell if someone's
stolen/rebooted it when you lock your screen.

>
> > ...
> > If your children are smart enough to edit the grub boot options, they
> > are smart enough to boot from a livecd.  Yes, having a grub password
> > adds another barrier, and having a bios password adds yet another, but
> > you have to remember that security is not either on or off.  It is not
> > an absolute, and it is not binary.  Security is a spectrum of gray, and
> > the conventional thinking is that the added security provided by a grub
> > password is too little to be worth the increased headache to the vast
> > majority of users.
> > ...
> > A gui grub configuration tool or an option to set a password in the
> > installer would be a welcome feature -- just not setting some well
> > known password by default.
> > ...
>
> So how feasible it would be for grub to accept the passphrase of any
> admin user, rather than having its own? That would be weird in the
> sense that the admin accounts are Ubuntu-specific, whereas grub is in
> theory controlling access to multiple OSes. But it would save
> subjecting people to an extra step in the installer, and it would make
> the grub passphrase no longer a headache.

That sounds like a bad idea from a security perspective. You're
basically taking the privileged account's pw and copying it to a new
place w/o the knowledge of the user. You're also doubling the entry
points (suppose for example that grub's MD5 implementation isn't up to
spec? I'd imagine that code is much less looked at than the code in
the main OS). We should pass around the primary user's pw as little as
possible. Another, and much more intrusive, idea would be to have it
somehow utilize a specified /etc/passwd, thus allowing us to
centralize user accounts/passwords. This also avoids the unexpected
incongruity between changing the user password and the grub password
not getting auto-updated.

But this still overlooks the main issue here. Adding a grub pw by
default adds no real barrier to entry at all. It only has an effect
when BIOS options are changed to prevent booting w/o pw or control CD
booting. Which requires a separate step anyways, so I don't think it's
that big a deal for us to have the user go ahead and run a single
command inside Ubuntu. Anyone dealing w/ a large installation where
they have these bios settings by default is using the alternative CD
anyways, so it's a non-starter there. It also avoids giving someone a
false sense of security by having useless "security" features enabled
by default.

>
> Cheers
> --
> Matthew Paul Thomas
> http://mpt.net.nz/
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
>

-- 
Mark Reitblatt