recovery from stupid error
Oliver Grawert
ogra at ubuntu.com
Thu Jul 14 08:59:30 CDT 2005
hi,
Am Donnerstag, den 14.07.2005, 09:43 -0400 schrieb Brett Profitt:
> While on this subject, I must point out that "recovery mode" is wickedly
> insecure. I nearly fell out of my chair when I saw it automatically log
> in *as root* with *no password*. I understand WHY this happens, but
> that does not make it any less insecure.
>
> Most of the "solutions" I've seen consider locking grub to be the best
> option, which, in my mind, is completely out of the question. Are there
> any plans to correct this gaping security hole in Breezy?
would you prefer it to pretend security as other distros do with a root
password ? its only one additional bootoption to boot a linux system
with direct root access without password (init=/bin/sh works on any
linux that has no grub password set). additionally, if you once have
direct physical access to a system you could also steal the HD or boot
from a liveCD or floppy to get direct access to the data....there is no
security with direct HW access. pretending security in this area is bad
imho.
ciao
oli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050714/758287c2/attachment.pgp
More information about the ubuntu-devel
mailing list