Red Hat Bugzilla – Bug 457627
Access to root on boot before password request
Last modified: 2008-08-04 03:17:35 EDT
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Press any key to stop grub from starting the default kernel. 2. Press 'a' to edit the line. 3. Add to the end of the line ' single' ([Space] single but you know that) 4. Press enter and wait. Actual results: Just after it has mounted the file system, it loads up in the shell as root without having to type in a password. Expected results: Expected to type in my 2 pass codes for the encrypted partitions then load everything and boot in text mode. login to a user in normal text mode. Additional info: I have the root and home partitions encrypted so I had to typed those pass codes in first befor it booted into the shell as root. I am using the 2.6.25.11-97.fc9.i686 kernel.
Chris, this is not a grub flaw, it's rather well-known behavior in all current and previous Fedora / Red Hat Enterprise Linux / Red Hat Linux versions. If you want to block attacker with physical access from booting to a single user mode, you should password-protect your grub configuration. As you also noted, in case of encrypted disks, you need to know encryption passwords to get root access. If you want to see the password prompt even in single user mode, you'd have to file RFE bug against initscripts, as that's the place where such prompt may be added. grub is very unlikely to ever have such feature (it's just not its purpose).