One of the greatest features that Linux has to offer, is the ability to customize your version so that it works the way you like it. Being a computer science student I have many friends that run linux, and many running windows (most dual boot).
With some of my windows friends there is a bit of an on going war about who’s computer is better, IBM vs Dell, Windows vs Linux vs Mac, Ubuntu vs Fedora Firefox vs IE, Vista vs XP. The things to debate are endless, its mostly all in good fun but it can sometimes get heated. The great thing is that usually when someone finds a “flaw” with ubuntu I can fix it on the spot if I so chose. Common arguments are that the brown is ugly (I love the brow), all I need do is fire up beryl or compiz (gl desktop). And the argument is shutdown.
The other day it was pointed out to me that a “flaw” was that if ubuntu was booted into recovery mode that the user was then given root access without the need of a password. I know that /boot/grub/menu.lst controls grub so I open it up “sudo gedit /boot/grub/menu.lst” and search for the word “password” at line 28 I find
## password [‘–md5’] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command ‘lock’
# e.g. password topsecret
# password –md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecrete
I change it to
## password [‘–md5’] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command ‘lock’
# e.g. password topsecret
# password –md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
password topsecrete
Go down to the bottom of the file and change
## ## End Default Options ##
title Ubuntu, kernel 2.6.20-16-generic
root (hd0,0)
kernel /boot/vmlinuz-2.6.20-16-generic root=UUID=8fdab1e2-1453-4eb3-a8db-a14dbff447d0 ro quiet splash
initrd /boot/initrd.img-2.6.20-16-generic
quiet
savedefaulttitle Ubuntu, kernel 2.6.20-16-generic (recovery mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.20-16-generic root=UUID=8fdab1e2-1453-4eb3-a8db-a14dbff447d0 ro single
initrd /boot/initrd.img-2.6.20-16-generictitle Ubuntu, kernel 2.6.20-15-generic
root (hd0,0)
kernel /boot/vmlinuz-2.6.20-15-generic root=UUID=8fdab1e2-1453-4eb3-a8db-a14dbff447d0 ro quiet splash
initrd /boot/initrd.img-2.6.20-15-generic
quiet
savedefaulttitle Ubuntu, kernel 2.6.20-15-generic (recovery mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.20-15-generic root=UUID=8fdab1e2-1453-4eb3-a8db-a14dbff447d0 ro single
initrd /boot/initrd.img-2.6.20-15-generictitle Ubuntu, memtest86+
root (hd0,0)
kernel /boot/memtest86+.bin
quiet### END DEBIAN AUTOMAGIC KERNELS LIST
to
## ## End Default Options ##
title Ubuntu, kernel 2.6.20-16-generic
root (hd0,0)
kernel /boot/vmlinuz-2.6.20-16-generic root=UUID=8fdab1e2-1453-4eb3-a8db-a14dbff447d0 ro quiet splash
initrd /boot/initrd.img-2.6.20-16-generic
quiet
savedefaulttitle Ubuntu, kernel 2.6.20-16-generic (recovery mode)
lock
root (hd0,0)
kernel /boot/vmlinuz-2.6.20-16-generic root=UUID=8fdab1e2-1453-4eb3-a8db-a14dbff447d0 ro single
initrd /boot/initrd.img-2.6.20-16-generictitle Ubuntu, kernel 2.6.20-15-generic
lock
root (hd0,0)
kernel /boot/vmlinuz-2.6.20-15-generic root=UUID=8fdab1e2-1453-4eb3-a8db-a14dbff447d0 ro quiet splash
initrd /boot/initrd.img-2.6.20-15-generic
quiet
savedefaulttitle Ubuntu, kernel 2.6.20-15-generic (recovery mode)
lock
root (hd0,0)
kernel /boot/vmlinuz-2.6.20-15-generic root=UUID=8fdab1e2-1453-4eb3-a8db-a14dbff447d0 ro single
initrd /boot/initrd.img-2.6.20-15-generictitle Ubuntu, memtest86+
lock
root (hd0,0)
kernel /boot/memtest86+.bin
quiet### END DEBIAN AUTOMAGIC KERNELS LIST
Now not only can the user not access anything but my default boot option with using the very secure password, lol. While I don’t consider it a bug that the user could have gained access to the root before without a password I love how easy it is in Linux to prevent that kind of thing. Now all I need is to set my BIOS password so that the user cant boot of anything but the hard disk without a password.
earobinson 
This is actually pretty standard practice for most distributions. Ubuntu is just the only one that auto-adds a “recovery mode” option in grub. Anyone, on any distro (exept Suse in my experience) can append “1” or “single” to the end of a grub kernel line and boot into the same “recovery mode”.
If you want to add a password to yours run grub-md5-crpyt, which will ask for a password and return a hash value. Add a fourth line of “password –md5 ” (as seen in your example.
Again, if this is a flaw in Ubuntu it is a flaw in every other distro (FC6, F7, RHEL, OEL, etc.) The same access that Ubuntu “recovery mode” gives is available, the user just has to manually add it at boot-time.
I don’t think this is a flaw Christer, I was just pointing out how easy it is to fix it. And I know I could encrypt my password I just didn’t bother.
Thanks for the feedback I should have pointed out how easy it was to encrypt a password.
Not bothering to encrypt the password ? Bad boy… :) In any case someone with physical access to the machine only need a few more minutes to break such a system, using a Live CD and mounting the partition / looking for the right info, as you may know.
I was going rto suggest taking a look at SUM: http://linuxfud.wordpress.com/2006/11/26/ubuntu-tool-highlight-startup-manager-configure-grub-and-usplash/
Handle with care, as it has some warnings about possible corrupting your setup. I haven’t treid but it looks interesting and may become stable enough for future inclusion in Ubuntu.
Fabian Rodriguez it was more a proof of concept than anything else, I could use bios passwords and such to stop live cd’s but ill look at your link when I have some time
Thanks for the comment
Fabien’s point holds true though; an attacker with physical access can do anything, including extracting the disk and copying it using another machine. The only thing that can protect your data at that point is encryption.
Christer @ 1 is missing a slight distinction between Ubuntu and most other distros; typically they’ll prompt for the root password if booted into single user/recovery mode – Ubuntu doesn’t have a root password by default so it can’t do that. I believe it will if you set one though.
@Ewan – most other distros *don’t* require a root password on runlevel 1. I teach RHEL5 and OEL including FC3-6 and none of those require a root password when booting into runlevel 1. The *only* distro that I’ve found that does require it is SLES.
/me heads off to blog about this topic…
You really shouldn’t modify the DEBIAN AUTOMAGIC KERNEL LIST. All you changes will be lost next time you install a kernel, or any other package that invokes update-grub in it’s postinst/prerm hook.
Instead, READ THE DOCUMENTATION. It’s in your grub.conf/menu.lst above the list of kernels. I believe you want to turn on the “lockalternative” and possibly “lockold” options. After you turn them on, you can run upgrade-grub as root to regenerate the list with your new preferences, and those preferences will persist across kernel upgrades. If you do need more or different boot stanza than are generated by update-grub, you should FOLLOW THE DIRECTIONS on at around line 53 of your grub.conf and “Put static boot stanzas before and/or after AUTOMAGIC KERNEL LIST”.
yeah, the automagic section is created automatically by a script based on the information in the section before it (read the comments to see where that section is). so you shouldn’t ever modify the automagic section, just the template. once you modify the template, you run as root “update-grub”. that will then recreate your automagic section.
Boyd Thanks for pointing that out :) I was just proving the concept but thats good to know.
Exactly what Boyd Stephen Smith Jr. said. Oh, and btw. there is an exact guide on ubuntuguide.org which shows how to do exactly this properly (including password encryption):
http://ubuntuguide.org/wiki/Ubuntu:Feisty#How_to_disable_all_interactive_editing_control_for_GRUB_menu
Have a nice day :)
[…] but more of a discussion or educational topic on grub. It was inspired by the original post here and continued discussion in the comments. I thought I would outline some suggestions on securing […]
[…] of mine. On of my posts that continues to baffle me in how much activity it gets is my post about ubuntu root access. This post resulted in a friendly argument between me and a friend during class. At the time it was […]
[…] of mine. On of my posts that continues to baffle me in how much activity it gets is my post about ubuntu root access. This post resulted in a friendly argument between me and a friend during class. At the time it was […]
stupid
you just have to set a root password, and you will be asked to put a password, after the boot actually, to login in the recovery console.
gianni, The convention in ubuntu is not to have a root password but to instead use sudo
Once loged into the computer
Click System
click login window
go to security tab
locate and check the box that says allow local systems administrator login.
then click close
then go to system
click administration
click users and groups
click unlock
enter your password
select the user ” Root ‘
click Properties
under password
click set password by hand
then type password
Click O.K.
Then log off and login as user: root and the password you ser
now you have full access
this will only work under ubuntu and has been tested in ubuntu 8.10 and works OK
Get reliable bug tested casino script and software for your Online Casino at casinowebscripts.com. Find best deals and lowest prices for online gambling scripts and software here!!
We can do anything we should do to amuse yourself, to
create our lifestyle happy.
It is likewise accepted as a method of drink to many busy business owners. I searched all over the Internet looking for something to meet my needs. Also, you seem like you remain in a real gambling establishment.