Reminder: Physical access = Root access

Today I needed to reset a password on an Ubuntu system. While doing this, I was reminded of just how simple it is to get root access on a default install of Ubuntu. I wanted to share these steps on this blog to remind people that if someone has physical access to your Ubuntu system, they can get root access in just a few seconds.
  • Boot up your computer
  • When asked, hit "Escape" to enter the GRUB menu
  • Select the option that displays "recovery mode"
  • Select the option labeled "root prompt"
  • You are now logged in as root with the ability to change anything
It is really just that simple. This root console is great for advanced users who need to reset a password, but the average user will have no idea what to do. For instance, here is how I found the main user of this system:
root@laptop:~# cat /etc/passwd | grep 1000:1000
tristan:x:1000:1000:Tristan Rhodes,,,:/home/tristan:/bin/bash
This output shows that there is a user named "tristan" who is the main user of this system. Next I needed to reset the password for that user. So I entered this command:
root@laptop:~# passwd tristan
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@laptop:~#
Next I was able to reboot the system and login as "tristan" using the new password I created.

Can this process be improved?

Like I mentioned above, the root command prompt is not the most user friendly interface ever invented. At best, it is confusing to new users and at worst it is very dangerous. So how can this be improved? Well there are already some great ideas floating about, and thanks to the powerful Ubuntu Brainstorm website you can see what people have said about this topic. One of the more popular ideas is a Graphical Recovery Mode. If you want to help make Ubuntu better, please vote on the ideas you want to see implemented or even post your own ideas on the Ubuntu Brainstorm website.

Is there any way to prevent root access?

Many people may choose to give up the simple password recovery in the interest of securing their system. There are many different ways to do this including:
  • Use a BIOS password that prevents the computer from booting
  • Use a GRUB menu password that prevents the computer from booting
  • Use an encrypted file-system that requires a password to use
I'm sure there are other ways to do this, so please provide your input in the comments below.

Comments

  1. The 'fix' would be to require a password to access the recovery image. I don't know if there is a way to set that up in GRUB.

    Of course by changing the default user's password, you make it immediately apparent to the default user that the system has been compromised, unless you leave it logged in, and there is no requirement for a password to exit the screen saver.

    ReplyDelete
  2. I suppose this is true of all computers (Macs and Windows as well as Linux) that don't have encrypted file systems and can be booted somehow.

    ReplyDelete
  3. It is important to note that ONLY the encrypted partition is a way to prevent unauthorized root-access.
    Bios-passwords can easily be cracked (either by using one of the many master-passwords or by clearing the CMOS), and a bootable CD (for example the Ubuntu install-cd) overcomes the password-prompt in GRUB.

    Physical access means Root access unless strong encryption is used. Any other Method is Snake-Oil and should not be recommended like here in this blog post.

    ReplyDelete
  4. It is also important to understand, that encryption alone does not solve this problem (no question: it makes it harder). At least the kernel cannot be protected that way and must stay on an unencrypted filesystem. By compromising the code on that filesystem one can evesdropping the password for the encrypted filesystems. You better store your boot partition on a removeable device... Next station: hardware keyboard logger...

    ReplyDelete
  5. If you set a root password, they need to login to access root recovery mode.

    So just do a sudo passwd root to give root a password, problem solved.

    ReplyDelete
  6. I would just like to second anonymous above. Setting a password for the root account will solve this problem. Any other distro needs the root password to enter single user mode.

    So to reset passwords on a box with a root password you would boot from a LiveCD. Do some fancy mount and chroot commands prior to the passwd.

    Some Recovery CD's like the Fedora CD's do the mounting for you.

    ReplyDelete
  7. This just proves the old computer security rule that is so often forgotten: Any computer system can be comprimised if the hacker has physical access to the machne. The only way around this is to keep servers and whatnot in a locked, secure room. Basic computer security 101.

    ReplyDelete
  8. hello tristan, your posts are getting *much* better :)

    Can you please not teach people to do cat ... | grep?

    grep supports a filename as the last argument so this works as expected:
    grep 1000:1000 /etc/passwd

    If the computer is using an alternative authentication mechanism other than /etc/passwd (such as ldap, nis, or kerberos), your example won't work. You might actually try giving this command instead:
    getent passwd 1000

    It will work however you have /etc/nsswitch.conf configured and return the user matching uid 1000.

    Keep it up!
    http://www.digitalprognosis.com/blog

    ReplyDelete
  9. As has already been explained, the only way to have a secure computer is to encrypt the HD, otherwise you can always take out the HD, put it in an other computer, mount the HD and read and change whatever you want, and you can never, if others have physical access to the computer, secure your data from overwriting even if you encrypt the HDs. So physical access almost always means root access, and physical access always means that your data could be overwritten or damaged (take out the HD and use a hammer on it :-) )

    ReplyDelete
  10. Jon, I've not seen a linux distro that required a password for single user mode.

    Debian, Red Hat (EL and Fedora), Gentoo and SuSE all let you in without a password. That's the whole reason for single user mode as opposed to a higher run level. That, and the fact that the partitions in /etc/fstab aren't parsed so you aren't guaranteed to have everything.

    ReplyDelete
  11. There is no defense against physical access and a hammer.

    ReplyDelete
  12. Well, even a fully encrypted file system may be decrypted (in some thousands of years :) ) so its simply a matter of effort if someone gets your data or not.
    For private use, I just enabled the hard drive password on my Dell notebook because encryption necessarily slows down the system.
    If I had some really sensitive data, e.g. of my company, I might think about encryption.
    However, of course everyone is right when saying take a hammer and it's all done :)

    ReplyDelete
  13. Debian...let you in without a password

    That's not true. Debian boots to a "enter root password" in single user mode. I can't speak to the other distros, but I'd be surprised if gentoo boots to a root # prompt.

    Without encrypting your disk at the filesystem level, physical access = root access will always be true. Sure, you can lock down grub or the BIOS, but if I have physical access and it is import that I gain that access, I can always remove the hard drive and take it.

    But why use a hammer when a screwdriver will suffice?

    ReplyDelete
  14. Physical access is the most difficult situation to secure, undoubtedly, but I think the following are some basics steps that can be taken to prevent super "easy access." Any comments?

    1) In the BIOS, set the system to only boot from the HD - this prevents Live CD or USB booting, at the risk or making recovery harder.
    2) Anyone can change that, so add a password to the BIOS. As noted, this can be reset, but I'm talking about preventing "easy" access.
    3) Set the password in Grub for anything other than the default boot.

    ReplyDelete
  15. Don't follow Anonymous's advice to create a root password. That just makes it so if someone's trying to get into your box they *know* the user is root, all they've gotta crack is the password. Without a root password, they have to brute force or guess your username before they can even start trying to crack the password.

    ReplyDelete
  16. init=/bin/sh

    ReplyDelete
  17. Any burglar who is not a complete beginner can get access to nearly every home. So why even bother locking your door when going out?

    Car thieves have no problems breaking into cars and getting away with them: so just leave your car unprotected.

    That seams to be the reasoning of some of the posters.

    Now seriously: while it is true that someone with physical access to your system can eventually get root access, it is also a fact that providing some basic protection can help to prevent most attempts to be succesful.
    For more than 10 years I've had several Linux systems to which lots of people had physical access, and not a single time a root access has been compromised that way. And the users are quite inventive (students).
    The more protection levels you install, the less chance there is that your system will be cracked.

    My standard protection scheme is (much like David Engel's suggestion):

    0. Install a password on the root account (For Ubuntu users! Debian by default has one and won't let you boot into single user mode without using it)
    1. In the GRUB menu, lock the options that boot into single user modes.
    2. Prevent the boot menu from being changed without a password.
    3. Prevent booting from all but the default boot medium (in the BIOS).
    4. Prevent the BIOS from being changed by putting a supervisor password on it.

    I do not put a user/boot password on the BIOS because I want the systems to be able to restart unattended.

    The above measures are easy to install and provide a high degree of protection. Sure, it is possible to clear the BIOS password and change its settings, but that would involve disconnecting the system and opening the case. That would certainly take more than the few seconds it takes to get root access on a standard Ubuntu install, and also not go unnoticed by other people present in the room.

    My point: with some simple measures, physical access != root access.

    ReplyDelete
  18. Anonymous at 7/10/2008 10:01 pm: "I've not seen a linux distro that required a password for single user mode."

    Every version of RH, RHEL, and Fedora since RH6 (and every Solaris iteration for that matter) requires a password to enter SUM.

    ReplyDelete
  19. A recent attack showed that even an encrypted disk is vulnerable if it is still running (and able to read the encrypted partition). If you can rip out RAM and read it, you can use it to find the encryption key.

    It is still probably safe from anyone but a trained NSA keythief

    ReplyDelete
  20. Ya you can secure a system but if some thing happen to system admin then what no password =no access = then you have replace you computer infrastructure. I believe I do not have the proper answer. but I seen this happen before this guy took care of all the computers systems. Then one weekend he had heart attack, Monday morning come and the people at the office was graving and then how do we login in to maintain the system Peter always did it and he had the passwords.

    ReplyDelete
  21. @benedict:
    "0. Install a password on the root account (For Ubuntu users! Debian by default has one and won't let you boot into single user mode without using it)"

    No. Then you only need to brute force the root password to get root. In Ubuntu's configuration, you need to brute force the correct username AND the correct password.

    ReplyDelete
  22. @ McKenzie:
    Brute force attack is a remote attack.
    We were talking here about securing the machine against people that have (possibly legal) physical access. You should not allow normal users to (easily) get root access (such as by rebooting into single user mode without password).

    Protection against remote brute force attacks can fairly well be achieved by
    - using a thight firewall
    - running only the needed services and on a non-standard port where possible
    - running a tool like DenyHosts to throw out obvious attackers.


    @jdmoncr: Even if you forget your root and BIOS passwords, there is always a way to reset them. It may take a little time, work and knowledge, but it can always be done. That's why the protection is never 100% secure. It is enough to avoid someone to get easy and quick (and thus often unnoticed) root access on systems they have physical access to.

    ReplyDelete
  23. Physical access = security screwed. lol =]

    A very good point you raise though. I'd never even thought about it before, since I've never used the recovery mode. Well spotted.

    ReplyDelete

Post a Comment

Popular posts from this blog

Using the Cisco console in Linux

Linux NIC teaming recommendations

What it takes to make Ubuntu ready for use