grub: High Security risk with default installation

scott redhowlingwolves at
Thu Mar 13 02:49:25 UTC 2008

Hash: SHA1

Rich Rudnick wrote:
> Kuba Plichcinski wrote:
>> Package: grub
>> Version: 0.97-29ubuntu4
>> Severity: critical
>> Tags: security
>> Justification: root security hole
>> Default grub installation doesn't require password for grub.
>> Without a password anyoune can boot with option:
>> init=/bin/sh
>> Than it's enough to:
>> mount -o remount,rw /
>> To get full access in 20 seconds from boot.
> If you want physical security of your box, set a bios password, put a
> lock on the case, and put it in a safe. grub password protection is
> illusory.
The only guarantee against somebody owning your box is to shut off all
Internet access and bury the box six feet under in concrete.

That is not a viable solution. If I have physical access to your box,
the sky is the limit. The sky being : time, knowledge and experience.

BIOS password or not. At some point you have to trust the user, or no
one will ever be able to configure their box how they like, etc, etc.
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the ubuntu-users mailing list