recovery from stupid error

[Judd Pickell]

"Once again I mention that I am talking about making bypassing security
easier for those who wish to do harm ... and I
will continue believing that these practices are dangerous and insecure
for a distribution that caters to new users."

<sarcasm> Brett, have you ever worked for MS?</sarcasm>

Seriously.. You are pointing out issues that are relevant to us, who
are beyond new users, not to run of the mill joe that grabs a Ubuntu
CD and installs it.

Is it possible to access the recovery mode and get to root without a password?
Yes.

Will a new user (ie new to linux) realize this upon installation?
No.

Name a new user to XP that is aware of hitting F8 to access your boot
options? I have been doing tech support for over 10 years, most people
didn't even know it was possible with win98, let alone XP. In fact
this entire email was started because the person only found out about
it after causing serious harm to their system, and started looking for
options to recover. A new user would not look for recovery, they would
search out someone with more experience and that person would go
looking for it.

So to break it down into it's components. To know about the recovery
would take someone who has done more than a cursory install on their
computer. It would take someone with knowledge of how computers worked
to even think to find a recovery type mode. Not to mention that they
would never think that there is even a layer above the magical windows
layer that they can muck about in. I have to wonder how many would
even open a Terminal without explicit directions to do so.

Thus the argument moves from it being a new person magically figuring
out how to access root magically, to a person with some experience
(and most likely access to Google). Which given that the person has
some experience, they would pull up this link:
http://www.google.com/search?hs=t6X&hl=en&lr=&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=bypassing+root+in+Ubuntu&btnG=Search

667 articles on how to bypass root on Ubuntu.

But again, there is a certian extent of knowledge they must have
before this type of, shall we say exploit, is made known to them. Thus
negating your concerns over a new person finding root. Not to mention
if they are genuinely new to linux, what are they even gonna know to
type in the command prompt? There is no mouse or magic folders for
them to throw in the trash. How many new people are going to know that
you have to type startx to get into X win.

I would hope that after both of my posts, not to mention the many
others who have all stated the same thing, that you would realize the
blatent fantasy of your argument. If you really believe that passwords
are the best way to secure things, or even if you only believe that
passwords just make things harder, you need to bone up on your
understanding of security. Grab your library card, and read up on
computers and security, I would seriously recommend spending your time
reading everything on this site: http://www.schneier.com/ and even
subscribing to the cryptogram newsletter.

I do not think that I would be the first to say that in my
unprofessional opinion that a stock install of Ubuntu is safer for the
new user than a stock install of XP. There just is no comparison. I
would bet anyone dollars to donuts that if I sat down my wife at my
computer (who is not entirely new to linux, but isn't a computer geek
either, and asked her to get to the recovery console; the only look I
would get would be a deer in the headlights look.

If you don't believe me/us that a new user isn't going to be able to
do this, test it yourself. Throw it on a few computers and have some
Linux newbies sit at the computer and ask them to access the recovery
console. Can you guess how many blank stares you would get?

The point is simple.. If they can figure out how to get to the
recovery, they can figure out how to bypass a simple password. So
basically saying that throwing a password on there makes it more
secure is silly. It is akin to saying that if you lock up all the
matches people can't start fires, or it would make it more difficult;
even though a magnifying glass on paper would make a fairly fast
fire..

The hardest part about writing this email is that I feel I am being
unnecessarily condescending to you Brett, however, it is not my
intention. I am just trying to help you understand why you are the
only one who is walking around complaining that this is insecure.
Obviously achieving root access is by definition insecure, and by
definition you are correct. However the problem is solution, a
password only obscures, it doesn't prevent root access, and as such,
in this instance, the solution is as bad as the problem thus negating
it being an issue.

Maybe after reading the above link's contents you will understand
better why it is, and if not, well, that is what it is..

Sincerely,
Judd Pickell


On 7/14/05, Brett Profitt <brett at narnarnar.com> wrote:
> Judd Pickell wrote:
> > It is apparent in the responses above, that they get what you mean,
> > but you seem to be missing their point. I will attempt to show you by
> > presenting your own arguments:
> 
> I can assure you that I have missed no points that were made, but that I
> believe they are severely flawed.
> 
> > 1) A person (other than valid user) sits down at the computer and
> > enters recovery mode.
> > 2) A person stumbles into a server room (other than a valid admin),
> > sits down at the computer and enters recovery mode.
> >
> > First, we need to throw out the second example. I don't know of many
> > server rooms (atleast for operations bigger than a a few users) where
> > you have a machine with direct monitor and keyboard access to make
> > this possible. If you know how to operate the KVM setup you might get
> > to it, but if your servers are automatically that accessible, you are
> > just begging for someone to break your servers. (Not to mention that
> > your servers would need to be rebooted to access Grub to get to
> > recovery, which if they can do that from a KVM or direct access to the
> > server hardware, you are screwed).
> 
> This is, unfortunately not true.  There are many, MANY conditions under
> which a person who is not valid admin might have access to server rooms:
>  janitors, upper management, etc.  The second example, then, is highly
> significant.
> 
> > But the first case makes sense, you wouldn't want someone to sit down
> > at your computer reboot it, and access root. However, you fail to miss
> > the most obvious point of your whole scenario. IF someone has managed
> > to get that much access without your knowledge, and their intents were
> > so malicious as to seek out to access root without your knowledge, a
> > password on the root access will not protect you.
> >
> > [SNIP]
> >
> > So to put it bluntly, root only protects you while your machine is
> > already in its operational phase, and only prevents you from doing too
> > much harm via a connection to the machine (even X is just a connection
> > to the machine at it's techinical level).
> >
> > I hope I have put into reality the false-reality you have about
> > accessing root. Anytime you allow someone else physical access to your
> > machine, you are just asking for root to be busted. If you really want
> > to prevent users from doing what has been described above is to not
> > give them access to the machine at all (yeah, like we ever have that
> > kind of option) or set them up with Dumb terminals that use all the
> > resources on a central server.
> 
> Once again I mention that I am talking about making bypassing security
> easier for those who wish to do harm, who may otherwise not be inclined
> to.  I have already stated that I understand that those who wish to
> compromise security, given enough experience, will be able to
> regardless.  It follows, then, that it is not against these people that
> security measures are effective, but it is against another type...those
> who may be only curious and adventurous.  I understand the implications
> of physical security, but as I have previously discussed, one cannot
> assume physical access is allowed only to those who are administrators.
> 
> I see that this discussion will not progress to any further meaningful
> levels on the list, so I will suggest this:  You may continue believing
> that I am wrong and have a false idea of the meaning of security, and I
> will continue believing that these practices are dangerous and insecure
> for a distribution that caters to new users.
> 
> Brett
>