grub: High Security risk with default installation
scott
redhowlingwolves at nc.rr.com
Thu Mar 13 02:49:25 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rich Rudnick wrote:
> Kuba Plichcinski wrote:
>> Package: grub
>> Version: 0.97-29ubuntu4
>> Severity: critical
>> Tags: security
>> Justification: root security hole
>>
>>
>> Default grub installation doesn't require password for grub.
>> Without a password anyoune can boot with option:
>>
>> init=/bin/sh
>>
>> Than it's enough to:
>> mount -o remount,rw /
>>
>> To get full access in 20 seconds from boot.
>>
>
> If you want physical security of your box, set a bios password, put a
> lock on the case, and put it in a safe. grub password protection is
> illusory.
>
>
>
The only guarantee against somebody owning your box is to shut off all
Internet access and bury the box six feet under in concrete.
That is not a viable solution. If I have physical access to your box,
the sky is the limit. The sky being : time, knowledge and experience.
BIOS password or not. At some point you have to trust the user, or no
one will ever be able to configure their box how they like, etc, etc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH2JY1s+9h2X0fCGcRAkn8AJoDmTFvx0crX+PFQuLUMnUXk8lyJgCfWYRS
gdqBRM4BbRxyoTqwPg6mbc0=
=z6Xz
-----END PGP SIGNATURE-----
More information about the ubuntu-users
mailing list