Why is it possible to change the password of an admin user on linux?

A few days ago, a friend of mine, wanted to show me that he can use my linux even if I don't tell him my password.

He entered in GRUB, selected the recovery mode option. My first problem is that he already had access to my files (read only). He tried to do passwd but failed. Then he did some kind of remount (I guess that gave him write rights) and after that he was able to change my password.

Why is this possible? I personally see it a security issue. Where I work there are several people that use linux and neither of them have a BIOS password set or some other kind of security wall.

Ilea Cristian

Posted 2012-10-18T14:38:41.507

Reputation: 355

24Doing this does require physical access to the computer. Realistically, unless you use TrueCrypt or similar, if I have physical access to your computer, I can probably get at your data one way or another. – Zac B – 2012-10-18T14:41:52.517

10This is not specific to Linux. With physical access, you can do the same on Windows, OSX or probably any OS. One of the reasons I can see to be this way is that an admin can allways forget his password and needs a way to get in the system. – laurent – 2012-10-18T16:28:50.627

Even if you can't log on to OS installed on the hard-drive, you can just boot a liveUSB distro, and mount the files systems and read all the files. You can always encrypt your home directory though, lots of distros have an option for doing that on install. That will safeguard most data from being read. (although it won't stop it being erased) – naught101 – 2012-10-18T23:50:14.230

3With a screwdriver, this can be done to most anything... – SamB – 2012-10-19T01:33:20.303

Answers

The passwords are meant to prevent access from outside (network, internet), and they accomplish it. However, physical access is root access.

Unless you're encrypting your entire partition, it's always possible to boot from an optical disc or a flash drive and gain access to all your files. This way, you can also modify the files that store the users' passwords.

However, you can choose to disable the recovery mode of you want to. Steps:

Open /etc/default/grub in a text editor (with root privileges)
Uncomment/add the line following line:
```
GRUB_DISABLE_RECOVERY="true"
```
Save the changes and run the following command:
```
sudo update-grub
```

Dennis

Posted 2012-10-18T14:38:41.507

Reputation: 42 934

Does encryption affect the performance of my machine? – Ilea Cristian – 2012-10-18T14:46:56.863

@enum: According to CraigTP's answer to Speed of TrueCrypt whole disk encryption, only a little.

– Dennis – 2012-10-18T14:48:08.830

What about a BIOS password? How secure is my machine? – Ilea Cristian – 2012-10-18T14:49:22.400

4Disabling the BIOS password only takes a little longer. You can reset by setting the Clear CMOS jumper or by removing the CMOS battery. Also, you can still access the hard drive in any other computer computer. – Dennis – 2012-10-18T14:51:51.103

If you are so concerned about it that you are asking all these questions, just encrypt the drive. – EBGreen – 2012-10-18T14:54:42.707

Is there any other way to secure a machine? – Ilea Cristian – 2012-10-18T14:56:10.930

4No. If somebody removes an unencrypted hard drive from your computer and connects it to one of his own, he can read from and write to the hard drive. It really doesn't matter what you do to the rest of the computer. – Dennis – 2012-10-18T14:57:57.243

7Put it in a safe. – Chris Nava – 2012-10-18T14:58:12.660

@enum, see the first part of my answer here.

– Darth Android – 2012-10-18T15:25:01.433

@Chris Sounds silly but actually I've seen a few schools/libraries etc put computers in locked 'cages' to prevent physical access, which I guess is an option when encrypting the drive isn't. – jam – 2012-10-18T15:40:45.830

@J20 Encrypting the drive is not as good as blocking physical access to a system. If you block physical access, you don't need to encrypt a drive; if you encrypt a drive, you still need to block physical access. – Darth Android – 2012-10-18T16:05:09.793

13If the drive is encrypted its still encrypted even if the drive is stolen. You don't encrypt a storage device to prevent the theft of the storage device. – Ramhound – 2012-10-18T16:31:33.447

2Even if you don't show the 'recovery mode' option, you still have access to the grub console. If you don't want an outsider to have access to the grub console, you should put a password to grub – Carlos Campderrós – 2012-10-18T19:40:46.653

If someone can physically touch your machine they can get in.

Easiest way, load linux on a usb drive and boot from the usb stick. Voila, you can view the native file system and make whatever changes you like.

HayekSplosives

Posted 2012-10-18T14:38:41.507

Reputation: 533

It will always be possible to change the root password. It can always happen that someone forgot it. You need physical access to the server (or console access when virtualized) to enter the GRUB recovery mode, so when you are already there you can take the whole server/desktop as well to pull out the HDD and do some forensics on it. Safety-wise it does not matter a lot.

You can always encrypt your disc if you want additional security. That will make recovery a lot harder.

Jeroen

Posted 2012-10-18T14:38:41.507

Reputation: 186

For grub 1 do the following:

Open a command line and enter as root grub-md5-crypt
You are being asked for a password and after confirming your password you will see a hashvalue which you copy to the clipboard
Open your editor of choice and edit /boot/grub/menu.lst and add to the first line:
```
password --md5 "Hashvalue"
```
Safe the file. The hashvalue is the one you get from the command grub-md5-sum

For grub2 there is a tool which lets you setup this more easy http://sourceforge.net/projects/grubpass/ After installing just type:

grubpass into the shell as root user. The program is pretty much self explanatory.

However the best way to protect your data from this kind of access is to use full disk encryptpion.

l1zard

Posted 2012-10-18T14:38:41.507

Reputation: 933