Ubuntu: Ubuntu 14.04 LTS Security?



Question:

[Ubuntu 14.04 on 2014 Retina MacBook Pro 15" using rEFInd]

(ThomasW's Why is everybody so concerned about etc/passwd? link addresses my initial comments about accessibility to passwd and other files, so I've removed my comments here.) Though I still believe in the principle of denying information to the potential attackers.

Whilst trying to fix a Unity GUI issue which has rendered my account unusable, I've found what I believe is a much bigger issue!

I booted into 'Single User Mode' thinking that I would be able to log into a TTY terminal and fix things through it. But the boot process paused at:

usbhid 1-8.1:1.0: can't add hid device: -71  usbhid 1-8.2:1.0: can't add hid device: -71  

So I switched to TTY (Ctrl-Alt-F7) and since it was showing a cursor, I pressed Enter. I now found myself with the root user prompt in root's home directory. I wasn't asked for a password!
I created a new user, added them to the sudo group, and:
- when I used the exit command, a few more boot steps were performed (last of which was * Restoring resolver state... and it stopped. So I returned to TTY F1 and now had a login prompt. (I tried to login as root with no password and, as would be expected, I failed. The root account is disabled as per default)
- when I used the reboot command, the boot up sequence continued until the login splash screen, and then a reboot was triggered.

(I thought you could only do this sort of thing by using a Live USB and chrooting to the fixed drive.)

This has been convenient for the current problem I'm trying to fix, but I don't think this is desirable in any other circumstance.

I've repeated these steps a few times whilst writing this post, so it's definitely repeatable.


Solution:1

Physical access means you have all the power you need to do anything. There is no need for an operating system to prevent anything when someone is actually touching the machine.

This has been convenient for the current problem I'm trying to fix,

As intended.

but I don't think this is desirable in any other circumstance.

I do not see an explanation why you believe this. Ubuntu, nor any other operating system, should ever hinder someone that can touch a machine.

Simple method: if you put in a Live DVD and boot from it, you can format the whole system without ever having to need to input a password. As it should be.

Even the most "secure" passwords you could set (the BIOS password asked during boot and before any device is accessed) can be circumvented: all motherboards have known default passwords that grant access to the system or using a simple screwdriver, the CMOS battery can be removed or the NVRAM chip can be swapped out.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »