Sudo and USB flash drives

Bill Stanley bstanle at
Sat Aug 18 20:02:29 UTC 2012

On 08/18/2012 02:37 PM, Nils Kassube wrote:
> Bill Stanley wrote:
>> When I was repartitioning my HD and booting a USB flash drive, I
>> found what may be a security flaw with sudo.  This problem might not
>> affect computers with Linux installed so this might not be a
>> problem.  It goes as follows...
> [...]
>> Do we really want to allow root access when booting to a flash drive?
>> Maybe when booting from a USB drive or a CD-ROM, sudo should match
>> the root (sudo) password that is on the Hard drive.  Of course,
>> since I did not have Linux installed yet, in this case sudo acted
>> appropriately.
> IMHO, there is no advantage if you check for an installed Linux and use
> the root password from that partition. You pointed out the next
> necessary check, i.e. find out the Windows admin password and use that
> one, if there is only Windows on the machine. But what would you suggest
> to do if there are Windows and Linux installed? What if the disk is
> bought secondhand and you don't even know the password of the still
> existing OS on that disk?
> If the system isn't locked down and anyone can boot from external media,
> it isn't safe anyway. Then why should an installation medium check for
> existing passwords? IMHO that doesn't make much sense.

The issue of multiple OS's which are multi-booted is another thing that 
occurred to me.  Which OS root (or admin) password do you choose?  It is 
a bit of a corundum.  Still, sudo should keep people without sudo access 
from executing sudo privilege programs.  If someone can easily get 
around sudo by booting off a flash drive what security is in that?  I 
think that the sudo people should think about that!

Bill Stanley

More information about the ubuntu-users mailing list