Re: [Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Kevin Funk [2008-06-24 15:48 -]: > > I share the opinion of the reporters: it is a blatant security > > hole because nobody expects this from a linux system. Not at all. User/root passwords do not help in *any way* to protect the system if you have local access and can reboot the machine (or take the HD out and plug it into a different computer). As Christoph pointed out, you need disk encryption for that. -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
> Is it possible to ask for a password even when no root password is set? Maybe ask the password of uid=1000 No. We need a way that users can reset their lost password > I think this should be fixed for all users as its a security hole You need to do a lot more to create "local security"! * Change the boot order so that you can't boot from cdrom or usb. If not, i can boot your system with Knoppix and mount your disks. * Set a bios password so that you can't change the boot order * Set a root password so that you can't interrupt the boot process * Lock the case of your computer so that nobody can remove the harddisk from your computer and read it with another computer * Better: Lock your computer into "safe", so that users can only reach keyboard and mouse * Even better: Encrypt your file system You don't create local security merely by setting a root password. You need to do the whole shebang. -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Is it possible to ask for a password even when no root password is set? Maybe ask the password of uid=1000? I think this should be fixed for all users as its a security hole. > I share the opinion of the reporters: it is a blatant security hole because > nobody expects this from a linux system. Exactly. -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Ernst Kloppenburg [2008-05-15 6:20 -]: > why not to hardy-security? It is a security problem that needs to be fixed > for > everybody. -updates is enabled by default, so unless you explicitly disabled it, you will get it. Also, it's really at the edge of being called 'security' -- if you just booted your computer, you have pretty much root powers anyway. -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Am Donnerstag 15 Mai 2008 schrieb Martin Pitt: > Copied to hardy-updates. > > ** Changed in: friendly-recovery (Ubuntu Hardy) >Status: Fix Committed => Fix Released why not to hardy-security? It is a security problem that needs to be fixed for everybody. -- Ernst Kloppenburg Heimerdingen, Germany -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Copied to hardy-updates. ** Changed in: friendly-recovery (Ubuntu Hardy) Status: Fix Committed => Fix Released -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
** Tags added: verification-done ** Tags removed: verification-needed -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
I followed steps 5 through 7 of the updated description above (using friendly-recovery Version: 0.1.2) It works as expected now: it does ask for the root password pressing control-D instead of giving the root password brings you back to selection screen. -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
where can I find the updated package? I looked in http://archive.ubuntu.com/ubuntu/pool/main/f/friendly-recovery/ and in http://archive.ubuntu.com/ubuntu/dists/hardy-proposed/main/binary-i386/Packages.gz Am Freitag 09 Mai 2008 schrieb Martin Pitt: > Accepted into -proposed, please test and give feedback here > > ** Tags added: verification-needed -- Ernst Kloppenburg Heimerdingen, Germany -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Accepted into -proposed, please test and give feedback here ** Tags added: verification-needed -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Uploaded to hardy-proposed, waiting for approval ** Changed in: friendly-recovery (Ubuntu Hardy) Importance: Undecided => High Status: New => Fix Committed ** Changed in: friendly-recovery Assignee: (unassigned) => Michael Vogt (mvo) Status: New => Fix Released ** Changed in: friendly-recovery (Ubuntu Hardy) Assignee: (unassigned) => Michael Vogt (mvo) -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Here is the hardy debdiff: diff -Nru friendly-recovery-0.1/debian/changelog friendly-recovery-0.1.1/debian/changelog --- friendly-recovery-0.1/debian/changelog 2008-04-11 13:17:48.0 +0200 +++ friendly-recovery-0.1.1/debian/changelog2008-05-08 11:40:13.0 +0200 @@ -1,3 +1,10 @@ +friendly-recovery (0.1.1) hardy-proposed; urgency=low + + * usr/share/recovery-mode/options/root: +- use /sbin/sulogin to get a shell (LP: #220986) + + -- Michael Vogt <[EMAIL PROTECTED]> Thu, 08 May 2008 11:33:29 +0200 + friendly-recovery (0.1) hardy; urgency=low * do not install /etc/event.d/rcS-sulogin (LP: #205911) diff -Nru /tmp/O7LAcwjGmM/friendly-recovery-0.1/usr/share/recovery-mode/options/root /tmp/TgCyQeJdEV/friendly-recovery-0.1.1/usr/share/recovery-mode/options/root --- friendly-recovery-0.1/usr/share/recovery-mode/options/root 2008-04-11 13:17:48.0 +0200 +++ friendly-recovery-0.1.1/usr/share/recovery-mode/options/root 2008-05-08 11:39:36.0 +0200 @@ -5,4 +5,4 @@ exit 0 fi -bash +/sbin/sulogin ** Description changed: Binary package hint: friendly-recovery You can gain access to root even when you set a root password when friendly-recovery. - Steps to reproduce + TEST CASE: - 1) Install Ubuntu Hardy RC1 + 1) Install Ubuntu Hardy 2) Set a password for root $ sudo passwd 3) Reboot into the recovery mode 4) Choose "Drop to root shell prompt" - In Gutsy (and all other prior Ubuntu releases) you had to enter the - root-pw to get access to the root shell. Is this intentionally? If yes. - Many documentations explain setting a password for root prevents access - to the root account via the recovery mode. I think this change has to be - doumented somewhere. - - ProblemType: Bug - Architecture: amd64 - Date: Wed Apr 23 13:37:15 2008 - DistroRelease: Ubuntu 8.04 - NonfreeKernelModules: nvidia - Package: friendly-recovery 0.1 - PackageArchitecture: all - ProcEnviron: - SHELL=/bin/bash - PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games - LANG=de_DE.UTF-8 - SourcePackage: friendly-recovery - Uname: Linux 2.6.24-15-generic x86_64 + 5) install version from hardy-proposed + 6) repeat steps 3 and 4 + 7) verify that it asks now for a password on login -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
This bug was fixed in the package friendly-recovery - 0.2.2 --- friendly-recovery (0.2.2) intrepid; urgency=low * usr/share/recovery-mode/options/root: - use /sbin/sulogin to get a shell (LP: #220986) -- Michael Vogt <[EMAIL PROTECTED]> Thu, 08 May 2008 11:33:29 +0200 ** Changed in: friendly-recovery (Ubuntu) Status: Confirmed => Fix Released -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
** Also affects: friendly-recovery Importance: Undecided Status: New -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
This is a regression -- the root password (if it is set) needs to be required for a root prompt, just as the old recovery was done. ** Changed in: friendly-recovery (Ubuntu) Importance: Undecided => High Assignee: (unassigned) => Michael Vogt (mvo) Target: None => ubuntu-8.04.1 -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Correct, i have set a root password, too. In early versions i ask for password if set. -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
Bug #10662 is similar to this one, but not the same. Bug #10662 describes that you can can boot into a root shell with the recovery mode, when no password for root is set. This one here shows that this is possible even though a password for root is set. -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
The maintainers consider it a feature!!! This "bug" has been reported earlier, e.g. #10662, more than three years ago. I share the opinion of the reporters: it is a blatant security hole because nobody expects this from a linux system. There are more security holes like that when you can edit the boot command line. Maybe grub should be password protected by default? -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
after remove friendly-recovery it will ask for password ** Changed in: friendly-recovery (Ubuntu) Status: New => Confirmed -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 220986] Re: friendly-recovery drops to a root shell even when a root password is set
** Attachment added: "Dependencies.txt" http://launchpadlibrarian.net/13836790/Dependencies.txt ** Visibility changed to: Public -- friendly-recovery drops to a root shell even when a root password is set https://bugs.launchpad.net/bugs/220986 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
