My main OS is Debian but for testing purposes I dualboot with (K)Ubuntu Dapper. Also I share my machine, a laptop, every now and again with my Significant Other who only have a desktop. Since our office also is our bedroom it's convinient for her to have an acount on the lappie so she can be online if I'm catching up on some sleep.

Last night I went to bed early and she grabbed the laptop and set it up in the living room. A couple of minutes later she said she didn't know what to do and something strange had happened. Imagine my surprice when I found her at a shell prompt saying "root@ubuntu"!! Turned out she had accidently booted my Ubuntu in single-user mode, and that Ubuntu's single user mode happily drop you into a root shell. Is it me or is that kinda crazy???

I know that any system that is physically accessible is at risk security wise but come on. Instant root access for anyone happening to boot the computer is a bit too much.

This could really have caused a mess if I hadn't been home because she don't know the the first thing about using the commandline. She wouldn't know how to shut down or reboot... or how to get KDE running so she could get into a familiar environment. The usual "Enter root password or press <something> to continue booting" would have rescued her. Granted she would have been on the wrong partition in the wrong system, but she has no account there and would quickly have found out that a reboot would be the thing. Which she know how to do from KDM/ GDM.

Now that I know about it I've just removed the single user from GRUB but man... what a rude awakening :shock:

Tina

I use LiveCd versions of Oralux and GRML. Bot start up in the root account. From the root account any user could mount my hard drives and steal data or make a mess. Fortunately, the only on in my house that could do anything detrimental is my ME daughter, and I trust her without limits. :)

My office is in my bedroom too. I currently have two computer systems (soon to be a third), a 22" monitor, and all the stuff you can pile between them. Maybe I'll post a picture some day. :(

fos....

Oh I trust her not to do anything 'wrong' on purpose. What worried me is that she, although running Linux on her machine too (No Windows in our house!), don't know her way around the CLI. And a root account is not really the place to start experimenting.

I've been naging her to learn some basic CLI usage (like using apt) but she is too clever... she knows that as long as she don't know how to upgrade and otherwise maintain a linux system I will do it for her. :P

But of course, even though it takes very little to gain root access to a system if you are actually at the machine you usually don't want it to boot into root without a password. That's kinda like handing out keys to your house just because it's possible to brake in anyway...

My office is in my bedroom too. I currently have two computer systems (soon to be a third), a 22" monitor, and all the stuff you can pile between them. Maybe I'll post a picture some day.
Know the feeling. I've got two boxes (and the laptop) and a 19". The second box is a file server with no monitor attached. I did initially put a 22" on it but it was vetoed ;)

Tina

Hi Tina,

I see what you mean about Ubuntu and that has been one of my misgivings as well. You are immediately placed into a gui environment that anyone could accidently do damage with since it has root privaleges. Ubuntu and its progeny have taken away the security that was designed into unix by granting root privaleges to everyone.

fos....

I used to use that cleverness when mowing the yard in my youth. The lines were never straight enough to satisfy my dad and he would end up cutting it himself. :)

Hi Tina,

I see what you mean about Ubuntu and that has been one of my misgivings as well. You are immediately placed into a gui environment that anyone could accidently do damage with since it has root privaleges.

Only the 1st user entered in the Ubuntu installation process has sudo.

Most distros have Grub (or Lilo) with single user mode as an option. If you can boot the machine, you can be root.

-BoB

Most distros have Grub (or Lilo) with single user mode as an option. If you can boot the machine, you can be root.

-BoB

Yeah... but most distros require root password to enter single user mode (Yes I know you can do it without a passwd with some knowledge and effort). My complaint is mainly about the possibility to accidently boot into root with no password what so ever.

Except for LiveCD distros I have never seen that before my SO accidently became root on Ubuntu.

Tina

Tina,

You are right about Ubuntu starting up in single user mode without a password.

I tested this.
If you set a root password, then you also will need to enter that password for single user mode.

To set a root password:
$ sudo passwd

-BoB