Sudo and USB flash drives
Bill Stanley
bstanle at wowway.com
Sat Aug 18 20:02:29 UTC 2012
On 08/18/2012 02:37 PM, Nils Kassube wrote:
> Bill Stanley wrote:
>> When I was repartitioning my HD and booting a USB flash drive, I
>> found what may be a security flaw with sudo. This problem might not
>> affect computers with Linux installed so this might not be a
>> problem. It goes as follows...
>
> [...]
>
>> Do we really want to allow root access when booting to a flash drive?
>> Maybe when booting from a USB drive or a CD-ROM, sudo should match
>> the root (sudo) password that is on the Hard drive. Of course,
>> since I did not have Linux installed yet, in this case sudo acted
>> appropriately.
>
> IMHO, there is no advantage if you check for an installed Linux and use
> the root password from that partition. You pointed out the next
> necessary check, i.e. find out the Windows admin password and use that
> one, if there is only Windows on the machine. But what would you suggest
> to do if there are Windows and Linux installed? What if the disk is
> bought secondhand and you don't even know the password of the still
> existing OS on that disk?
>
> If the system isn't locked down and anyone can boot from external media,
> it isn't safe anyway. Then why should an installation medium check for
> existing passwords? IMHO that doesn't make much sense.
The issue of multiple OS's which are multi-booted is another thing that
occurred to me. Which OS root (or admin) password do you choose? It is
a bit of a corundum. Still, sudo should keep people without sudo access
from executing sudo privilege programs. If someone can easily get
around sudo by booting off a flash drive what security is in that? I
think that the sudo people should think about that!
Bill Stanley
More information about the ubuntu-users
mailing list