Ubuntu security hole? (not super major, but wondering if it is an issue to report)

[Chanchao]

On Tue, 2006-05-09 at 14:51 +0100, towsonu2003 wrote:

> > HOWEVER, at this point it put me straight into a root shell!
> > 'root at ubuntu #'   So it did not prompt for a root password (obviously,
> > as there is none) but it also did not prompt for my own password.

> did you file a bug report?

No, I'm not at all convinced yet that it IS a bug, or that it's worth
reporting.  From reading some replies some people seem to consider it a
feature! (No obstacles or pesky passwords that would delay you in
getting the computer to work again!)

I realise that I have a tendency to title my posts a bit in a tabloid
newspaper style "SECURITY HOLE UNCOVERED?" as if we just hit an iceberg
in the North Atlantic or something, but I also included (in the title as
well as the post itself) that I primarily wanted to discuss this first.

After all there's loads of bugs being worked on at the moment, no need
to add something that could prove unimportant or frivolous but that
would nonetheless eat up developer's time to even look at and assess. 

Still....  I share my computer with my family and I'm the only one with
root (Administrative/sudo) access, and that's for a reason.  If this
happens when someone else is at the keyboard then they get instant root
access. (Yes they could pop in a Live CD and snoop around, though as
we've seen this could be prevented/secured/discouraged.) 

Anyway I think I would prefer it if instead of dropping straight to a
root shell, the user was made to go in from the 'maintenance' option in
Grub. (Because that one can easily be secured). Then from the
*maintenance* boot option I don't mind to go straight to root if
passwords/authentication isn't available.  This does not add a
significant extra obstacle to getting things working again. (The only
obstacle in fact is one that the administrator of the machine put in
place himself/herself, i.e. the securing of Grub with a password.)

Cheers,
Chanchao