Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 457627 - Access to root on boot before password request
Summary: Access to root on boot before password request
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: grub
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-01 21:56 UTC by Chris Jones
Modified: 2008-08-04 07:17 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-04 07:17:35 UTC
Type: ---


Attachments (Terms of Use)

Description Chris Jones 2008-08-01 21:56:33 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Press any key to stop grub from starting the default kernel.
2. Press 'a' to edit the line.
3. Add to the end of the line ' single' ([Space] single but you know that)
4. Press enter and wait. 

Actual results:
Just after it has mounted the file system, it loads up in the shell as root
without having to type in a password.

Expected results:
Expected to type in my 2 pass codes for the encrypted partitions then load
everything and boot in text mode. login to a user in normal text mode.

Additional info:
I have the root and home partitions encrypted so I had to typed those pass codes
in first befor it booted into the shell as root.

I am using the 2.6.25.11-97.fc9.i686 kernel.

Comment 1 Tomas Hoger 2008-08-04 07:17:35 UTC
Chris, this is not a grub flaw, it's rather well-known behavior in all current and previous Fedora / Red Hat Enterprise Linux / Red Hat Linux versions.  If you want to block attacker with physical access from booting to a single user mode, you should password-protect your grub configuration.

As you also noted, in case of encrypted disks, you need to know encryption passwords to get root access.

If you want to see the password prompt even in single user mode, you'd have to file RFE bug against initscripts, as that's the place where such prompt may be added.  grub is very unlikely to ever have such feature (it's just not its purpose).


Note You need to log in before you can comment on or make changes to this bug.