Make foes happy

Story: How to reset lost root password on Ubuntu 16.04 Xenial Xerus Linux Total Replies: 6
Author Content
nmset

Jun 17, 2016
1:48 PM EDT
GNU/Linux haters can mock us now : we can wipe your disk any time, we don't even have to open the case.

Fortunately, Grub menu can be password protected, seems a bit complex but can be done.

IMO, this kind of article should not be publicly available, too dangerous, like 'how to make dynamite sticks in your kitchen on a boring day?'.
jdixon

Jun 17, 2016
2:17 PM EDT
> GNU/Linux haters can mock us now : we can wipe your disk any time, we don't even have to open the case.

That's always been the case. If you don't have physical security, you don't have security.

> IMO, this kind of article should not be publicly available, too dangerous, like 'how to make dynamite sticks in your kitchen on a boring day?'.

The people attacking your systems will know about it. Shouldn't you?
CFWhitman

Jun 20, 2016
2:15 PM EDT
Having a problem with this is basically succumbing to the DRM mentality. You're trying to make create obstacles for people whom you don't want to access your data, but in the end you create much greater obstacles for yourself. It's much easier to be able to restore a lost root password in this way than rebuilding your system. People whom you don't want to access your data shouldn't have physical access to your machine. If you're going to try and combat that, you should be using encryption.
nmset

Jun 20, 2016
3:56 PM EDT
>The people attacking your systems will know about it. Shouldn't you?

You're right.

>People whom you don't want to access your data shouldn't have physical access to your machine.

That's not always possible, we are not always surrounded by friends. Irrespective of encryption, you can just walk out of your office for a coffee, you get back and the disk is empty. You can't do that with competing OSs in that time frame. Apart from editing the GRUB entry with a password, I can't see what we can do efficiently.
dotmatrix

Jun 20, 2016
4:27 PM EDT
>You can't do that with competing OSs in that time frame.

Sure you can...

If someone has physical access to the computer or the HDD itself the data on the drive can always be deleted, and can almost always be discovered... the recovery of plain text data is only thwarted through the use of encryption. And even then, the choice of encryption would need to be public/private key with a removable private key... i.e. smartcard or USB key fob.

If the private key is stored on the machine, it's game over.

If the password is stored on the machine, it's game over.

If the encryption is public/private and the private key is removable, and the hashed credentials are not located anywhere on the system nor in the memory... then you might have secure data. But even then, there are ways around...

Seriously... if someone has your computer -regardless of OS- your data are lost - if the 'attacker' is knowledgeable enough.

CFWhitman

Jun 20, 2016
6:33 PM EDT
Well, dotmatrix said a number of things that I was thinking as I read the reply. There are a variety of measures you can take to create more obstacles for someone who might access your machine when you're not there (putting a boot password into BIOS/UEFI, for example, is not terribly effective, but more effective than removing single user mode from grub). If you want to institute them, you can, but removing single user mode from grub is way more likely to make things harder for you or your tech support than for anybody else. Someone could come in and boot your computer to a USB device to access your hard drive if you're running Windows (I do that often enough for other people who find their Windows drive unbootable for some reason).

I suppose you could argue that you could use single user mode to create a more permanent way in, but if someone who has physical access wants to do something like that, you have security issues regardless.
nmset

Jun 21, 2016
2:19 AM EDT
>you should be using encryption.

After second thought, I guess you meant encrypting the root partition. Yes, that would be effective if the GRUB entry is edited.

Now I won't do either of that, it's just deceiving to see how much we do boast about GNU/Linux superiority, rightly of course, and the fact that the system is so much exposed on its very boot process.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!