Gaining root access with grub
Security in Linux is strong. Because of the Unix security culture, and the constant attention brought to it (latest example is the PolicyKit effort).
But I am still wondering why the grub ability to edit the kernel parameters is activated by default on at least one major distribution (Ubuntu to name it). Just add the “single” parameter, or change “init=/bin/bash”, and you got it, you’re root. Then go ahead, steal data, change password, do whatever you want.
Of course, we can greatly reduce the importance of the problem : the attacker must have a physical access to the computer, and even without grub, you can still access the data with a live CD, or if the BIOS is locked, or there is no CD drive, open the case and take the drive.
But still, it is a kind of “backdoor” out of the box! I see at least one use case where this kind of attack could be used : at work, you want to snoop on confidential files on your boss computer discreetly.
I’ve tried to raise the attention to this issue on the ubuntu-devel-discuss, but without success so far.
Edit : the subject was discussed, and at the end the grub password was the problem : no way to synchronize from user passwords if network authentication is used, and only the default us keyboard layout is supported in grub. Too bad still…