Recovery mode
Colin Watson
cjwatson at ubuntu.com
Thu Jul 14 09:04:02 CDT 2005
On Thu, Jul 14, 2005 at 02:54:22PM +0100, Eamonn Sullivan wrote:
> On 14/07/05, Brett Profitt <brett at narnarnar.com> wrote:
> > While on this subject, I must point out that "recovery mode" is wickedly
> > insecure. I nearly fell out of my chair when I saw it automatically log
> > in *as root* with *no password*. I understand WHY this happens, but
> > that does not make it any less insecure.
> >
> > Most of the "solutions" I've seen consider locking grub to be the best
> > option, which, in my mind, is completely out of the question. Are there
> > any plans to correct this gaping security hole in Breezy?
>
> I don't believe this is a security hole. If someone can walk up to the
> keyboard of your computer, it's theirs. Adding a password or something
> during recovery mode would just give the illusion of greater security
> and complicate disaster recovery for newbies.
I heartily agree; this is not a security hole, because no security
boundary is being crossed inappropriately. Brett, if you don't think
locking grub is an option, then note that you can use it to edit the
command line and boot with init=/bin/sh ...
Cheers,
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-devel
mailing list