grub: High Security risk with default installation
redhowlingwolves at nc.rr.com
Thu Mar 13 02:49:25 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Rich Rudnick wrote:
> Kuba Plichcinski wrote:
>> Package: grub
>> Version: 0.97-29ubuntu4
>> Severity: critical
>> Tags: security
>> Justification: root security hole
>> Default grub installation doesn't require password for grub.
>> Without a password anyoune can boot with option:
>> Than it's enough to:
>> mount -o remount,rw /
>> To get full access in 20 seconds from boot.
> If you want physical security of your box, set a bios password, put a
> lock on the case, and put it in a safe. grub password protection is
The only guarantee against somebody owning your box is to shut off all
Internet access and bury the box six feet under in concrete.
That is not a viable solution. If I have physical access to your box,
the sky is the limit. The sky being : time, knowledge and experience.
BIOS password or not. At some point you have to trust the user, or no
one will ever be able to configure their box how they like, etc, etc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the ubuntu-users