grub: High Security risk with default installation

NoOp glgxg at
Wed Mar 12 23:51:34 UTC 2008

On 03/11/2008 05:46 AM, Kuba Plichcinski wrote:
> Package: grub
> Version: 0.97-29ubuntu4
> Severity: critical
> Tags: security
> Justification: root security hole
> Default grub installation doesn't require password for grub.
> Without a password anyoune can boot with option:

The grub installer offers the _option_ to set a password. Further, you
can use grub-md5-crypt or install startupmanager for an easy gui
interface that will also allow you to set a grub password.

That said, unless the entire disk is encrypted it doesn't make much
difference as one can always mount the drive & modify from Knoppix, etc.

More information about the ubuntu-users mailing list