friendly-recovery drops to a root shell even when a root password is set

after remove friendly-recovery it will ask for password

The maintainers consider it a feature!!! This "bug" has been reported earlier, e.g. #10662, more than three years ago.

I share the opinion of the reporters: it is a blatant security hole because nobody expects this from a linux system.

There are more security holes like that when you can edit the boot command line.

Maybe grub should be password protected by default?

Bug #10662 is similar to this one, but not the same. Bug #10662 describes that you can can boot into a root shell with the recovery mode, when no password for root is set. This one here shows that this is possible even though a password for root is set.

Correct, i have set a root password, too. In early versions i ask for password if set.

This is a regression -- the root password (if it is set) needs to be required for a root prompt, just as the old recovery was done.

This bug was fixed in the package friendly-recovery - 0.2.2

---------------
friendly-recovery (0.2.2) intrepid; urgency=low

  * usr/share/recovery-mode/options/root:
    - use /sbin/sulogin to get a shell (LP: #220986)

 -- Michael Vogt <email address hidden> Thu, 08 May 2008 11:33:29 +0200

Here is the hardy debdiff:

diff -Nru friendly-recovery-0.1/debian/changelog friendly-recovery-0.1.1/debian/changelog
--- friendly-recovery-0.1/debian/changelog 2008-04-11 13:17:48.000000000 +0200
+++ friendly-recovery-0.1.1/debian/changelog 2008-05-08 11:40:13.000000000 +0200
@@ -1,3 +1,10 @@
+friendly-recovery (0.1.1) hardy-proposed; urgency=low
+
+ * usr/share/recovery-mode/options/root:
+ - use /sbin/sulogin to get a shell (LP: #220986)
+
+ -- Michael Vogt <email address hidden> Thu, 08 May 2008 11:33:29 +0200
+
 friendly-recovery (0.1) hardy; urgency=low

   * do not install /etc/event.d/rcS-sulogin (LP: #205911)
diff -Nru /tmp/O7LAcwjGmM/friendly-recovery-0.1/usr/share/recovery-mode/options/root /tmp/TgCyQeJdEV/friendly-recovery-0.1.1/usr/share/recovery-mode/options/root
--- friendly-recovery-0.1/usr/share/recovery-mode/options/root 2008-04-11 13:17:48.000000000 +0200
+++ friendly-recovery-0.1.1/usr/share/recovery-mode/options/root 2008-05-08 11:39:36.000000000 +0200
@@ -5,4 +5,4 @@
   exit 0
 fi

-bash
+/sbin/sulogin

Uploaded to hardy-proposed, waiting for approval

Accepted into -proposed, please test and give feedback here

where can I find the updated package?
I looked in
   http://archive.ubuntu.com/ubuntu/pool/main/f/friendly-recovery/
and in

http://archive.ubuntu.com/ubuntu/dists/hardy-proposed/main/binary-i386/Packages.gz

Am Freitag 09 Mai 2008 schrieb Martin Pitt:
> Accepted into -proposed, please test and give feedback here
>
> ** Tags added: verification-needed

--
Ernst Kloppenburg
Heimerdingen, Germany

I followed steps 5 through 7 of the updated description above (using friendly-recovery Version: 0.1.2)

It works as expected now: it does ask for the root password

pressing control-D instead of giving the root password brings you back to selection screen.

Copied to hardy-updates.

Am Donnerstag 15 Mai 2008 schrieb Martin Pitt:
> Copied to hardy-updates.
>
> ** Changed in: friendly-recovery (Ubuntu Hardy)
> Status: Fix Committed => Fix Released

why not to hardy-security? It is a security problem that needs to be fixed for
everybody.

--
Ernst Kloppenburg
Heimerdingen, Germany

Ernst Kloppenburg [2008-05-15 6:20 -0000]:
> why not to hardy-security? It is a security problem that needs to be fixed for
> everybody.

-updates is enabled by default, so unless you explicitly disabled it,
you will get it. Also, it's really at the edge of being called
'security' -- if you just booted your computer, you have pretty much
root powers anyway.

Is it possible to ask for a password even when no root password is set? Maybe ask the password of uid=1000? I think this should be fixed for all users as its a security hole.
> I share the opinion of the reporters: it is a blatant security hole because nobody expects this from a linux system.
Exactly.

> Is it possible to ask for a password even when no root password is set? Maybe ask the password of uid=1000

No. We need a way that users can reset their lost password

> I think this should be fixed for all users as its a security hole

You need to do a lot more to create "local security"!

* Change the boot order so that you can't boot from cdrom or usb. If not, i can boot your system with Knoppix and mount your disks.
* Set a bios password so that you can't change the boot order
* Set a root password so that you can't interrupt the boot process
* Lock the case of your computer so that nobody can remove the harddisk from your computer and read it with another computer
* Better: Lock your computer into "safe", so that users can only reach keyboard and mouse
* Even better: Encrypt your file system

You don't create local security merely by setting a root password. You need to do the whole shebang.

Kevin Funk [2008-06-24 15:48 -0000]:
> > I share the opinion of the reporters: it is a blatant security
> > hole because nobody expects this from a linux system.

Not at all. User/root passwords do not help in *any way* to protect
the system if you have local access and can reboot the machine (or
take the HD out and plug it into a different computer). As Christoph
pointed out, you need disk encryption for that.