Hide Forgot
Description of problem: When I enter single user mode from GRUB, I can log in to Fedora 14 without being asked any password. Then I can change the root password. It is a big security problem. Version-Release number of selected component (if applicable): Fedora 14. initscripts is of the latest version. How reproducible: It is easy to reproduce. Steps to Reproduce: 1. Power on the computer. 2. Press Space at the GRUB window. 3. Press "e" key at the "Fedora 14" item. 4. Add "single" at the end of line. 5. Press "b" key to boot the computer. 6. Then a root shell is got. Actual results: A root shell is got. Expected results: The user should be asked a password. Additional info: The security problem is in /etc/init/rcS-sulogin.conf The line "exec $SINGLE" is not good. It should be "exec /sbin/sulogin". The variable "SINGLE" can be deleted. Ubuntu has already fixed the security problem. If Fedora does not fix it, some Fedora users may turn to use Ubuntu, since Ubuntu is more secure.
You can set a password to protect your grub against a local attack. is there anything we can do Bill? Thanks for your report. -- Fedora Bugzappers Team Member
This has always been the case; single-user mode has never asked for a password by default. If this bothers you, edit /etc/sysconfig/init (see the SINGLE entry), or add a bootloader passwod.
It is Red Hat company's responsibility to ask for a password for single-user mode, because many Fedora users do not know how to fix this security problem at all.
... This has been the documented default since well before Fedora has existed, to the point where it's expected. Moreover, changing this doesn't help at all without additional steps (bootloader password, securing physical access, and so on.)