grub: High Security risk with default installation
Sean Carolan
scarolan at gmail.com
Wed Mar 12 23:56:16 UTC 2008
Sorry for the top-post. Are you seriously reporting this as a bug?
If someone has physical access to your machine a grub password is not
going to stop them from mounting your filesystems.
If you need a grub password then by all means go ahead and set one.
On 3/11/08, Kuba Plichcinski <kuba at xpl.pl> wrote:
> Package: grub
> Version: 0.97-29ubuntu4
> Severity: critical
> Tags: security
> Justification: root security hole
>
>
> Default grub installation doesn't require password for grub.
> Without a password anyoune can boot with option:
>
> init=/bin/sh
>
> Than it's enough to:
> mount -o remount,rw /
>
> To get full access in 20 seconds from boot.
>
>
>
> -- System Information:
> Debian Release: lenny/sid
> APT prefers gutsy-updates
> APT policy: (500, 'gutsy-updates'), (500, 'gutsy-security'), (500,
> 'gutsy-backports'), (500, 'gutsy')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.22-14-generic (SMP w/2 CPU cores)
> Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages grub depends on:
> ii libc6 2.6.1-1ubuntu10 GNU C Library: Shared libraries
> ii libncurses5 5.6+20070716-1ubuntu3 Shared libraries for terminal
> hand
> ii volumeid 113-0ubuntu17 volume identification tool
>
> grub recommends no packages.
>
> -- no debconf information
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
--
Sent from Gmail for mobile | mobile.google.com
More information about the ubuntu-users
mailing list