grub: High Security risk with default installation

Rich Rudnick rich at aphroneo.net
Thu Mar 13 00:36:33 GMT 2008


Kuba Plichcinski wrote:
> Package: grub
> Version: 0.97-29ubuntu4
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> 
> Default grub installation doesn't require password for grub.
> Without a password anyoune can boot with option:
> 
> init=/bin/sh
> 
> Than it's enough to:
> mount -o remount,rw /
> 
> To get full access in 20 seconds from boot.
> 

If you want physical security of your box, set a bios password, put a
lock on the case, and put it in a safe. grub password protection is
illusory.






More information about the ubuntu-users mailing list