[Bug 1497909] Re: grub's root terminal in the recovery menu, makes it possible for physical hacking.

Josef Schneider ubuntu at netpage.dk
Mon Sep 21 09:39:17 UTC 2015 

*** This bug is a duplicate of bug 283662 ***
    https://bugs.launchpad.net/bugs/283662

** This bug has been marked a duplicate of bug 283662
   no login promt at "recovery mode"-boot

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub in Ubuntu.
https://bugs.launchpad.net/bugs/1497909

Title:
  grub's root terminal in the recovery menu, makes it possible for
  physical hacking.

Status in grub package in Ubuntu:
  New

Bug description:
  TL;DR
  When my laptops is stolen, people can choose the recovery option from grub startup menu, select the root terminal and 
  createa a privileged user.

  FIX:

  My proposed fix: When choosing the root terminal ask for the local
  password for the local root privileged account.

  If someone tries to create another account to 'steal' data? One still
  needs a password

  Long story

  http://askubuntu.com/q/676545/36315

  I messed up my Ubuntu, I only got a black when booting my Ubuntu. When
  I started up my laptop, I selected the recovery option from the grub
  menu, and choose fallback at root terminal. I saw that I was able to
  use the add user command, which I probably could turn into a
  privileged user on my machine.

  Isn't that a security issue?

  One could have stolen my laptop, and at startup chose recovery and add
  another user, I'm fudged then. Including my data.

  Come to think of it, even if you somehow remove that entry, one could
  boot from a live-CD, get a chroot up and running, and then add another
  user, with the right privileges that allows it to muck everything up.

  If I set the BIOS to boot at my HD only, no USB, CD/DVD, Network
  startup. And set a BIOS password, it still wouldn't matter. Because
  you'd still have that grub recovery startup entry.

  I am fairly certain that someone from China, Russia can't just hack my
  Ubuntu Trusty Tahr, because it's secure like that. But, if one has
  physical access to my - your - machine, then, well, that's why I'm
  asking this question. How can I secure my machine so that hacking
  through physical access is not possible?

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: grub (not installed)
  ProcVersionSignature: Ubuntu 3.19.0-28.30~14.04.1-generic 3.19.8-ckt5
  Uname: Linux 3.19.0-28-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.13
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Mon Sep 21 11:02:01 2015
  InstallationDate: Installed on 2015-09-09 (12 days ago)
  InstallationMedia: Ubuntu 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805)
  SourcePackage: grub
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub/+bug/1497909/+subscriptions

More information about the foundations-bugs mailing list