Is it just me or is this an extremely bad idea?
Losing your root password isn’t the end of the world, though. You’ll just need to reboot into single user mode to reset it. Here’s how to do it on a typical Ubuntu machine with the GRUB bootloader:
Boot Linux into single-user mode
- Reboot the machine.
- Press the ESC key while GRUB is loading to enter the menu.
- If there is a ‘recovery mode’ option, select it and press ‘b’ to boot into single user mode.
- Otherwise, the default boot configuration should be selected. Press ‘e’ to edit it.
- Highlight the line that begins with ‘kernel’. Press ‘e’ again to edit this line.
- At the end of the line, add an additional parameter: ’single’. Hit return to make the change and press ‘b’ to boot.
Change the admin password
The system should load into single user mode and you’ll be left at the command line automatically logged in as root. Type ‘passwd’ to change the root password or ‘passwd someuser’ to change the password for your “someuser” admin account.
I’ve thought about it quite a few times before, and especially after reading that article. That workaround, to me, seems dangerous to the security of a Linux system.
Ubuntu Grub Menu
It says howto reset a Ubuntu password, but I’ve used it with practically every distro I’ve ever tried (quite a few) and it always works, there’s only one problem: Anyone can use it. It’s nice if you forget your own password and need to reset it, but someone else with bad intentions could just as easily use it to lock you out of your system, or they could even use it to gain access to all of your files.
I’ve always believed that Linux is very secure, but this one exception has always made me think. Does anyone else have any further thoughts on the matter? Or maybe someone could explain to me why they added this feature in the first place? Any input is appreciated on the matter, I’m simply curious as to why they allow this.
Just put the password to grub.
Edit /boot/grub/menu.lst.
Type this in terminal
sudo gedit /boot/grub/menu.lst
Find/Add line password my_password_here
Or follow this instruction: http://www.gnu.org/software/grub/manual/html_node/Security.html
Physical access is root access, regardless of operating system. I can also reset administrative passwords in Windows and Mac OS X. In Mac OS X, you get a root shell by holding down Cmd-S during boot-up. I can reset a Windows password with a CD.
This is not Linux-specific.
If you want real security, bar physical access and encrypt everything important.
I don’t believe this is a major issues because:
1. The same sort of thing can be done on Windows.
2. Both GRUB and the BIOS can be password-protected.
3. In order for this “vulnerability” to mean anything, the attacker needs physical access…Which negates 99.7% of all possible security attacks…
4. I believe it is possible to disable single-user mode on a kernel level as well if you’re worried about this sort of thing.
Agree with “mul14″, add a password to Grub for extra security.
However anyone could still boot from cdrom or usb, and easily remove the password entry for root in the /etc/shadow file. So change your boot sequence in the Bios to boot to HDD first, and add an admin password to your Bios.
But it is always possible to reset the bios, or remove the hdd and take it to another machine. I suggest encryption at the FileSystem level:
http://linuxreviews.org/howtos/security/
Charles
Physical access to a computer means that it’s owned. You can do some things to mitigate the problem, like the Grub password mentioned above, the the necessary addition of the BIOS password, not allowing boot from the CD, floppy, USB, or the network, and removing the single-user menu item, but someone can still crack the case, put the disk in a new machine, and change your root password that way.
User-friendly distros keep the single-user (recovery) mode on the menu. Less friendly ones make you type in some commands, but it’s still there. It’s for ease of use since security specialists know that it doesn’t matter, anyway. If you know what you’re doing, lock down the box as much as you can. It won’t change the outcome if the person sitting in front of the computer really wants in there.
seriously security should be set before there, bios should be password protected, case should have an alarm and be locked at all times the weakest part is granting local access to the machine.
The method outlined above works only if you have physical access to the box. Once physical security is compromised all bets are off anyway. There are multiple ways in which security can be overcome. This is why this feature is present.
Its not a bad idea because, if you’re concerned about security, physical access to your box is the most overlooked, but obvious, way to attack a system. If you want to keep a machine safe, never let anyone near it during this boot process or at any other time; this is not much different from using a live CD to access a Windows or Linux machine.
yes, i think this is the weakest link to all OS, i did this both on Ubuntu and Windows and thought about what you thought. Its like securing servers with firewalls and other extra precautions. Then one day, some gas pipe blows together with our fiber optic lines. There goes our internet connection for a day.