June 2006 Archives

Do Jun 22 06:24:52 CEST 2006

getting r00t on your ubuntu box

As I probably wrote in another entry somewhere I do like the "Ubuntu Way" (TM?) very much. Lately I have come to the state of mind that I actually want to be able to just use my computer at home without the hassle of having to care about configuring it and stuff. Ubuntu really takes good care of that and simply put it,just,works. ( Of course, I would never ever use ubuntu to power any server out there in the evil internet.. )

Problem

These days I came across once again a real stupid default installation problem of Ubuntu. It hat some problems wich its installer a couple of months back when it under certain conditions wrote the password of the first and thus fully sudo enabled user into the installation log files, rendering it readable (plain text!) for anyone.
Ubuntu will install grub and, the same way as debian does it, add 'recovery' menu items to grub boot menu options. These fail safe recovery boot options are a good thing. They boot straight into your system administrators console and let you rescue your system. Other than with debian there is no root password for ubuntu ( the default user has sudo powers and root is disabled by default ). And that's why you will not be asked for any password when using the recovery boot option. It will boot you straight into root # with just two keystrokes (you could also use grub's interactive mode to boot into root without the need of those recovery-entries, they just make it even more convenient).

Impact

Now this certainly is not a high security risk as you need physical access to the computer and once you got that you can get root on practically any machine under any OS. In fact, many people will argue that it isn't a security risk at all. IMHO this is a default install that is unknown to almost all the users and therefore alone cries out to be changed. Also, I have come to more than one open access terminal where the hardware was locked away ( so no booting your own OS from CD ) but the recovery option led me to quick root access without the (presumably lazy) operator having any clue. This really makes it too easy to get root, especially as there are very not that difficult ways to circumvent this problem.

Solution

I would suggest to simply lock the recovery items with a password. Another step would be setting a password for the root user. But, as I prefer to maintain the ubuntu way of disabling root and forcing the user to use sudo only this would break with that paradigm.

To lock your recovery boot options do sudo $EDITOR /boot/grub/menu.lst and change two lines from

# lockalternatives=false
# lockold=false
to
# lockalternatives=true
# lockold=true
Do NOT remove the leading # as this has to be a comment ( update-grub reads its configuration out of comments in menu.lst, yikes! ).
You also have to set a password - and I won't spare you the hassle of computing your md5 string first: ALT-z into a shell and run /sbin/grub-md5-crypt and enter the password of your choice twice. Now copy that md5 string, go back to your editor ( fg ) and add the hashed password string: Change:
# password topsecret
to:
password --md5 $1$3/7sa1$p1fZaKJyMBXZx8wlbeAxl/
Do not forget to replace that hash with your own.. (And yes, in this case you have to remove the leading # !)

For security reasons (md5 is considered to be rather weak nowadays) be sure to make menu.lst readable by root only: sudo chown root.root /boot/grub/menu.lst && sudo chmod 600 /boot/grub/menu.lst
Once that is done, update grub which will add a 'lock' line to every alternative boot option: sudo /sbin/update-grub

This will lock every alternative boot option that update-grub automagically created with the password set above as well as entering the interactive-mode. It will not lock you windows, bsd or whatever boot options.

Mi Jun 21 01:50:11 CEST 2006

time 4 relaunch

No entries in almost two years. Wow. Time for a relaunch!

Meta-Info for this Blog: It's running nanoblogger and will soon enough feature some additional plugins I will have to write to enable comments, trackbacks and some other neat gizmos I would like it to have.


Posted by iso | Permanent Link | Tags: about | comments >>