Sudo and USB flash drives
kassube at gmx.net
Sat Aug 18 20:39:13 UTC 2012
Bill Stanley wrote:
> On 08/18/2012 02:37 PM, Nils Kassube wrote:
> > Bill Stanley wrote:
> >> When I was repartitioning my HD and booting a USB flash drive, I
> >> found what may be a security flaw with sudo. This problem might
> >> not affect computers with Linux installed so this might not be a
> >> problem. It goes as follows...
> > [...]
> >> Do we really want to allow root access when booting to a flash
> >> drive? Maybe when booting from a USB drive or a CD-ROM, sudo
> >> should match the root (sudo) password that is on the Hard drive.
> >> Of course, since I did not have Linux installed yet, in this case
> >> sudo acted appropriately.
> > IMHO, there is no advantage if you check for an installed Linux and
> > use the root password from that partition. You pointed out the
> > next necessary check, i.e. find out the Windows admin password and
> > use that one, if there is only Windows on the machine. But what
> > would you suggest to do if there are Windows and Linux installed?
> > What if the disk is bought secondhand and you don't even know the
> > password of the still existing OS on that disk?
> > If the system isn't locked down and anyone can boot from external
> > media, it isn't safe anyway. Then why should an installation
> > medium check for existing passwords? IMHO that doesn't make much
> > sense.
> The issue of multiple OS's which are multi-booted is another thing
> that occurred to me. Which OS root (or admin) password do you
> choose? It is a bit of a corundum. Still, sudo should keep people
> without sudo access from executing sudo privilege programs. If
> someone can easily get around sudo by booting off a flash drive what
> security is in that? I think that the sudo people should think
> about that!
If the owner of the machine allows that anybody can boot from external
media, there is NO security. Then it doesn't matter if you need sudo
from the external medium because that external medium isn't necessarily
Linux. Why should a Linux install disk have lower access privilege than
e.g. a Windows install disk?
More information about the ubuntu-users