Thursday, October 11, 2007

Insecure by Default

Guess what, I can walk up to your Ubuntu, PCLinuxOS, Debian, etc desktop installation and take complete control over it without needing a single password. Thats right, root access simply by sitting down at your computer. Why is it nearly every single distro by default leaves this gaping security hole open? Seriously, it is possible to fix the problem during installation, my personal favorite, Sabayon, asks if you want to password GRUB as part of the installation.

What am I talking about? One simple word 'single', thats it. You walk up to nearly every default desktop installation, reboot it then break the boot cycle when GRUB fires up. If GRUB is not passworded, and the default for almost all installations is that it isn't, you now have the option to grant yourself root access.

On single or multi boot systems, select the installation you want and instead of hitting enter to boot, enter 'e' to edit. Select the boot line with all the kernel options, typically the second, and hit 'e' again. Scroll all the way to the end of the line and add the word 'single'. Hit enter and press 'b' for boot.

The system will now start booting up in what appears to be normal fashion. With one exception, instead of dropping you into the GUI it will drop you into CLI with root access automagically granted. From that point on the system is mine. I can change passwords, add users, add background processes such as ftp access or ssh access for myself. Maybe add a hidden user account not so hidden if you know what you are looking for in /etc/passwd, but you have to know to look at it. In other words, anything.

So I ask again, why with security being such an assumed when running Linux is this hole left open? It is possible to close this after the fact, and it is not difficult at all. Directions on how to accomplish this simple security measure can be found:
(that one includes securing LILO as well)

Also if you happen to screw it up and need to recover from locking your GRUB you'll need a LiveCD and the directions here, or a little common sense.

So now, what is your excuse for not securing your bootloader from me? How often do you actually have to go in and mess with it or even look at it? Isn't five minutes of your time worth knowing that no one is going to access your system when your back is turned?

Oh did I mention that Sabayon gives you the option to do this as part of the install routine? I did, but this is a good place for a shameless plug for my distro of choice.



Wiktor said...

Setting password for grub doesn't make your system much more secure. If somebody is granted a physical access to your computer, password in grub won't stop her from doing anything she wants.

IvanIdea said...

I can do the same thing for windows. Use a livecd to get access to the filesystem, extract the passwords and log in. A bios password can even be overwritten if you have physical access. It is almost impossible to secure a machine from someone who has physical access to it.

Matthew said...

As ivanidea mentioned...this isn't so shocking considering anyone with physical access could also simply put in a livecd and mount your filesystem and edit their heart away.
From my perspective - security was always only effective until some has physical access, then you are toast. I remember the old days people would pass protect their screen saver and they would say well now you can't reboot either...but that is where the ol power cycle via psu cable comes in.

tistje said...

You'd probably need volume encryption (password NOT on the fridge) to get more secure against malicious physical access.

raf said...

As far as I recall, Ubuntu and Debian will invoke /sbin/sulogin in singule-user mode, requiring the root password before giving shell access. But, as people have pointed out, a boot CD or bootable thumb drive would suffice.

You'd want to disable non-harddrive boots in the BIOS, password-protect your BIOS, padlock your case, password-protect GRUB, and probably encrypt your filesystem just in case.

Azerthoth said...

Dont get me wrong on this, but the main thrust was to wonder why this step wasnt included by default with most distros. I agree that any one with physical access to you machine and a little free time will be able to circumvent nearly anything. Not to sure about drive encryption, but as one simple additional step as part of the install? I should atleast have the option of saying no to it if I dont want it.

Snoopy said...

This is possible for any machine if you have physical access. Be it linux or windows or another os.You can even boot with a flashdrive, cd or floppy and do whatever you like - including copying and modifying files and passwords.With physical access to the computer anything can be done, including stealing the hard disk.One principle of good security is to have good physical security rules enforced. If you don't, anything else is useless.
The only exception is encrypting your private data, but this is quite another thing.
I think you have too much free time and acute lack of inspiration to come out with such an article. But hey, who am I to question statements like "the water is wet"

Matthew said...

yeah i agree that this maybe one of those things that a more advanced user might find a little frustrating. But I think that this is one of those things that is enabled to allow for as easy use as possible for a newer user. I try to think of it as if someone locks up their install and needs access but doesn't know how...its like a safeboot mode that they can easily access without fuss. Do I agree with it...not sure...does it seem helpful to a frustrated and distraught new user...probably.
That is just my take...and as we know - with ease comes a downside and that is usually security. This is just why I tend to like slack for most of my boxes...its got that old school "you do it" feel.

Chris Cox said...

Common theme... physical access... and they're right. I mean you can put one more hoop in the way, but if I have physical access, there's not much you can do to stop me.

Ever try to fix a machine that has a axe slicing through the middle of it? Physical access is the key...

Anonymous said...

I recently did an install of Debian Etch (before upgrading to Lenny but that's beside the point). I used the expert mode gui installer and it gave me the option of choosing a password for GRUB menu access. If memory serves non-expert mode installs do not present you with this choice.

David said...

In a business environment, it's typical to have all other boot devices locked so you can't boot from them. Sure that can be overridden by doing a BIOS reset, but that would require a little more effort since you have to open the case to do it.
It is harder to protect against physical access, but that's no excuse to not try.

Andrew Muller said...

While obscurity isn't security, I'd stake my house that more people in this world know how to remove a harddrive in under 30 seconds then know how to boot into single user mode.
And once the drive is gone, the data is good as theirs.

Aaron said...

Sorry - The number one rule of any security policy is physical access. The OS DOESN'T matter. To say this is a problem with a certain flavor of OS is not a good idea and misleading.

Dana said...

Why can't you people just encrypt your filesystem?