grub: High Security risk with default installation
Rich Rudnick
rich at aphroneo.net
Thu Mar 13 00:36:33 UTC 2008
Kuba Plichcinski wrote:
> Package: grub
> Version: 0.97-29ubuntu4
> Severity: critical
> Tags: security
> Justification: root security hole
>
>
> Default grub installation doesn't require password for grub.
> Without a password anyoune can boot with option:
>
> init=/bin/sh
>
> Than it's enough to:
> mount -o remount,rw /
>
> To get full access in 20 seconds from boot.
>
If you want physical security of your box, set a bios password, put a
lock on the case, and put it in a safe. grub password protection is
illusory.
More information about the ubuntu-users
mailing list