Bug 457627

Summary: Access to root on boot before password request
Product: [Fedora] Fedora Reporter: Chris Jones <joneschrisan>
Component: grubAssignee: Peter Jones <pjones>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: security-response-team
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-04 07:17:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Jones 2008-08-01 21:56:33 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Press any key to stop grub from starting the default kernel.
2. Press 'a' to edit the line.
3. Add to the end of the line ' single' ([Space] single but you know that)
4. Press enter and wait. 

Actual results:
Just after it has mounted the file system, it loads up in the shell as root
without having to type in a password.

Expected results:
Expected to type in my 2 pass codes for the encrypted partitions then load
everything and boot in text mode. login to a user in normal text mode.

Additional info:
I have the root and home partitions encrypted so I had to typed those pass codes
in first befor it booted into the shell as root.

I am using the 2.6.25.11-97.fc9.i686 kernel.
Comment 1 Tomas Hoger 2008-08-04 07:17:35 UTC 
Chris, this is not a grub flaw, it's rather well-known behavior in all current and previous Fedora / Red Hat Enterprise Linux / Red Hat Linux versions.  If you want to block attacker with physical access from booting to a single user mode, you should password-protect your grub configuration.

As you also noted, in case of encrypted disks, you need to know encryption passwords to get root access.

If you want to see the password prompt even in single user mode, you'd have to file RFE bug against initscripts, as that's the place where such prompt may be added.  grub is very unlikely to ever have such feature (it's just not its purpose).