*** This bug is a security vulnerability *** Public security bug reported:
Ubuntu Hardy just updated to the newest kernel which broke my sound and Nvidia drivers. That's a separate issue, but it made me try to boot my computer into "Recovery Mode" as offered by the grub menu. One of the options offered here was a chance to drop to a root shell. Much to my surprise, I was greeted with full access to all the files belonging to all users on this computer. I thought Ubuntu had locked down the root account so that it could only be accessed by people who "sudo su" and who are part of the admin group. See https://help.ubuntu.com/community/RootSudo which mentions this...Is this fixed in 8.10? With the exception of this, my computer is pretty well locked down--the BIOS password is set and we can only boot to the first HDD (with grub), but now this root shell bothers me. Rather than full root access, could we instead be greeted with a login prompt similar to that seen when dropping to a TTY by pressing ctrl- alt-f1. Then an admin user could sudo su, or could have previously setup a root password, but having this as a default seems a little risky. If this has been fixed in newer releases, would it be possible to get a security or backport release that would edit the grub or recovery menu to disallow this by default? Many Thanks, Ryan ** Affects: ubuntu Importance: Undecided Status: New ** Visibility changed to: Public -- Recovery Mode allows full root access without a password https://bugs.launchpad.net/bugs/326473 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
