4

I am trying to understand this situation... Today I got a problem with de sudoers file since I modified and got problem whit this modification. So the only way to solve the problem was to modify the file using root in Recovery Mode.

And there is where the problem start.... no password was asked at all... so, just by choosing 2 options (Recovery Mode in Grub and Root in Recovery Mode), I've got access to all my system and all his files as a root.

This is very dangerous ! Anyone could easily erase important files or simply broke the entire system without any password/password/....

Is there any official communicate by Canonical about this ? It is simply an old forget feature or just something that no one want to change just because they don't want to ?

Jorge Castro
  • 71,754
aliasbody
  • 1,001

2 Answers2

10

It's not a bug, it's a feature. Anyone with physical access to the machine can get your data and/ or modify it unless your partitions are encrypted.

Consider this case: you can boot a Live CD and be able to read and modify data without issues.

Another one: someone could open the case, take the disk out of it and plug it in another machine (USB dock, eSATA, etc.). Then it's again easy to read and modify the data.

If you want to disable creation of the recovery entry, edit /etc/default/grub, uncomment the GRUB_DISABLE_RECOVERY="true" line by removing the leading # character and run sudo update-grub. However, this does not make it impossible to boot into recovery mode since you can still edit the boot options by pressing E on an entry and add single to the kernel line.

The only way to protect against such an attack is by encrypting your whole disk using LUKS. I strongly recommend to do that especially for mobile devices such as a notebook. See How to truly secure a hard-drive?

Community
  • 1
Lekensteyn
  • 174,277
  • Yes but it is diferent... I Understand the Live CD and others but I don't really understand this one. For a user that don't understand anything to security and doesn't even think about it until something goes wrong, he won't even consider to encrypt his directory or disable recovery.... So I think the better way is to, when the installation is done, make the root password the same as the principal user's password if (and only if) the user want it to be so... Am I wrong whit this ?... – aliasbody Oct 17 '11 at 21:27
  • Yes you're wrong. The root account does not have a password because you can simply not log in with it in the the non-single modus (See also http://askubuntu.com/q/16178/6969). In the past, you could password-protect the root user in single mode by changing the password for it: sudo passwd root. I'm not sure if that still works though. – Lekensteyn Oct 17 '11 at 22:07
  • I'm sorry, but I is still dangerous .... I think Ubuntu should find a way to protect "newbie" users more than that... just saying. I'm not saying that this feature is bad at all (since is what saves me of my stupid error with sudoers), but for me the question remains... the access is to simple and easy even for people who never used the linux terminal before.

    In my humble opinion, the Recovery Mode must be reviewed and adapted to new users and new situations. To make it hard to new users to break the system (which is not the case when using USC), and easy for Admin to configure the machine

     – aliasbody Oct 17 '11 at 22:11
  • @aliasbody: so you want Canonical to remove the recovery entry by default so the user does not accidentally boot into it? And make users lock themself out (just like you did) without having a direct way to correct it? I doubt if it's possible to make a single boot option / button that fixes all issues for you without knowing the background situation. – Lekensteyn Oct 17 '11 at 22:15
  • No no ! I don't want canonical to remove the Recovery Mode at all (that would be a shot in the foot). I just want them to improve the tool to make it less easy to corrupt the system with or without permissions. They can ask the user if they want to use the password for root for example in Installation (it is just and idea). And protect more the system from "newbie" users... and they must start by protecting the easiest access to all the files in the system with Recovery Mode and root. Think about it, what did I win by using a password if anyone could use the root access easily ? – aliasbody Oct 17 '11 at 22:19
  • I am not trying to tell that it is all Canonical's guilty. Or they must turn into a Windows or Mac protection like (far away from that). I am just saying that comparing to other Linux Distributions, this "feature" make a simple, and direct access without any permission or restriction (or even advertisement) to all the system and all the documents on it, by anyone who uses the computer. Like I said before, it is just like the Ubuntu dependencies problem that (sometimes without saying anything) removes important files from the OS, this is a big problem, and it is increasing in newer releases – aliasbody Oct 17 '11 at 22:24
  • 1
    Recovery mode boots into "Single User Mode", an idea that started with Unix. It's a simpler system than you usually see (recovery modes should be simple and minimal - the more you have to start before you can fix things, the higher the chance that something won't start and you won't be able to fix it) - No X windows, no networking, nobody but UID 0 (root). Linux is a set of powerful tools. You can do ANYTHING, including shooting yourself in the foot. If your users have the habit of booting into recovery mode and removing important files, CHANGE USERS! Put a password on boot. – waltinator Oct 18 '11 at 03:49
  • @aliasbody what are those important files being removed? Package dependencies are removed if they appear to be conflicting with newer packages (i.e. superseded by a newer version). The user won't usually see the boot menu at all (on a machine with only Ubuntu installed), so why would you worry about it? As I've said before, knowledgeable people can get access to other files anyway (which just requires to edit the boot options in the menu and adding single). – Lekensteyn Oct 18 '11 at 08:53
  • I am saying that after using Arch Linux when the last configuration to do is to set a root password, after that you start as a root user and have to create users account (but Ubuntu is not Arch so lets forget the last one). What I am saying is when you add the single on the boot option the root password will be asked in order to proceed to the root menu... Like that only the admin who knows the password can use the root settings (the password can be different from the sudo password since those two features are not the same), and something like that can be add on the installation set... no ? – aliasbody Oct 18 '11 at 10:28
  • @aliasbody Understood now, but I see it as a minor security enhancement because anyone with physical access to the machine can do root things anyway using a Live CD regardless of there is a password set or not. Since single user mode (Recovery mode) is to be used by administrators anyway, there is little need for another password which you'll definitely forget because you shouldn't have a regular need for logging in as root. To set a password for root, use sudo passwd root. – Lekensteyn Oct 18 '11 at 10:44
  • For the basic user who installed Ubuntu for the first time will not know about this feature and will let him as it is, and someone with just the need for broke something will go into the recovery mode, will use root, and will start remove/install things. It is the best feature to solve problems, and even I with Arch Linux got several problem that cannot be solved that easily because there's no Recovery Mode. A little security set is better than none in my humble opinion. Just one question, what are the dangers when using the same password from the principal user account (admin) as the root ? – aliasbody Oct 18 '11 at 11:09
  • @aliasbody There are still other ways to become root through the boot options. (e.g. break=postmount on Arch Linux). Security through obscurity is no security imo. You're free to choose the same password for your admin user and root. See http://askubuntu.com/q/16178/6969 for why you shouldn't be running as root the whole time. – Lekensteyn Oct 18 '11 at 12:23
0

Considering this is an old topic, being able to go into Recovery Mode & rooting saved my Desktop multiple times from crashes, corrupted driver installs (gpu) or any other problems where my desktop environment just wouldn't load at all.

I understand your concern, but you are overthinking it.

Like others in this topic said, anyone with physical access to the PC can do anything with it just by simply using an USB with ubuntu installed on it and they can access everything that's not encrypted.

Imagine other circumstances for example, a company had to lay off a system administrator, what if he changed passwords without telling the management about it and suddenly your new system administrator has no access to the entire system because the password has been changed and the person who did it is not responding. (It's hypothetical but very much possible and yes it does happen!)

There is probably SOME way to do this, I am not aware of one though, but considering all the factors, it is very much not necessary.

Point being, if you want to keep your files save, encrypt them and restrict physical access to the PC to only necessary administrators.

Most regular "newbies" to Linux probably wouldn't even know what to do with it, and if they did, you will probably find out if something doesn't work anymore or whatever and appropriate actions should be taken against that person.

I hope this answer helps others who come here.

Piotr Gajdowski
  • 1