StupidityIndexOutOfBoundsException: Physical access at a meetup

Official Ubuntu circle with wordmark. Replace ...

Image via Wikipedia

Lucky me I’m on Linux, and am totally and absolutely anonymous, private and secure. ~ Privacy, Anonymity and Security on IRC

The measures below give a reasonably secure solution in contexts when people have physical access to your Ubuntu machine, like unconferences, hackmeets, geekparties …

Disclaimer: This is not failproof. Nothing ever is. It doesn’t take much effort to pull out a LiveCD and bypass or read a password set on GRUB. Even if you do chmod it. GRUB can’t be stored on an encrypted partition. But people can only read the md5sum. And as far as I know it’s almost impossible to retain the password from a dirty md5 hash like the ones created by md5crypt (“dirty” means there are random characters inserted). If you also password protect BIOS settings and you don’t allow the machine to be booted other than via the hard disk, the combination is a reasonably secure solution. Of course, someone can steal your machine and mount the hard disk on another machine …

BIOS

When booting-up the computer into an Installation or Live CD, for some installations users can “rescue”:

boot: rescue

Set HDD first in BIOS sequence, so an Installation Disk cannot be used to gain access as root user. Also set a password for BIOS so that users cannot change the boot sequence. Phoenix is widely spread. Get in with F2, and find the Security settings. No need to set a password for every boot-up, just for editing the BIOS.

Note: Most machines these days offer a “Hard Drive Lock” password option in BIOS. Even if your HDD is moved to a different computer, or a liveCD is used, the data still cannot be read from the drive.

GRUB

Also, at boot-up, if the GRUB menu is hidden, ‘Esc’ can be used to enter the GRUB menu, select a recovery mode kernel, and enter the machine. To prevent this set a GRUB password, and ensure interactive editing for GRUB menu is disabled.

Karmic until Natty Narwhal

Karmic onward uses Grub2 unless you upgraded from a previous version of Ubuntu and have not manually upgraded to Grub2. Go into grub:

grub
grub> md5crypt
Password: ****** (ubuntu)
Encrypted: $1$AA1fzek.0$DBVjUcT1Mpod4u/TAj1 (encrypted password)
grub> quit

If you already set a GRUB password, get it:

grub-md5-crypts
Password:
Retype password:
$1$AA1fzek.0$DBVjUcT1Mpod4u/TAj1

In both cases, back up your configuration file, then open de conf file:

sudo cp /boot/grub/menu.lst /boot/grub/menu.lst_backup
gksudo gedit /boot/grub/menu.lst

If you have just set or changed the GRUB password add or adapt the password:

 ...
# password topsecret
password --md5 $1$AA1fzek.0$DBVjUcT1Mpod4u/TAj1
...

Now look for:

...
title     Ubuntu kernel x.x.x-x-386 (recovery mode)
root     (hd0,1)
...

and add lock between title and root:

...
title     Ubuntu kernel x.x.x-x-386 (recovery mode)
lock
root     (hd0,1)
...

If lockalternative=false exists, set it to lockalternative=true.
Save the file. Now your GRUB console will need a password for being edited, and recovery modes don’t work unless the password is given. In proper paranoia mode, also prevent everyone except root from reading /boot/grub/menu.lst by doing:

sudo chmod 600 /boot/grub/menu.lst

Natty Narwhal

Eager for the new stuff, you may have upgraded to 11.04. Sorry, no GRUB. And if you were on a dual boot system, well, it aint working anyway. And not just GRUB. Likely your machine is frozen in GRUB.

Apparently the notion of test driven development has not reached all open source core development teams yet. It’s a GRUBBY slaughterhouse out there.

You can try:

sudo cp /etc/default/grub /etc/default/grub_backup
gksudo gedit /etc/default/grub

Uncomment that line, and then run ‘update-grub’ to update /boot/grub/grub.cfg.

BASH

Limit your recall history to 100 lines and prevent Ctrl+Alt+Del from restarting your machine in console mode.

You can limit your history in the /etc/environment file. In Ubuntu, using profile files you have to use export to set the variables; the environment file doesn’t. And ~/.bashrc is executed for non-login shells.

sudo cp /etc/environment /etc/environment_backup
gksudo gedit /etc/environment

Before Edgy Eft

sudo cp /etc/inittab /etc/inittab.backup
gksudo gedit /etc/inittab

Comment out ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

Until Maverick Meerkat

In later versions than 6.10 /etc/event.d/ replaced /etc/inittab. Ubuntu refers to it as upstart.

sudo cp /etc/event.d/control-alt-delete /etc/event.d/control-alt-delete.backup
gksudo gedit /etc/event.d/control-alt-delete

Comment out exec /sbin/shutdown -r now “Control-Alt-Delete pressed”

Natty Narwhal

In Ubuntu 11.04 this requires a change in the /etc/init/control-alt-delete.conf file.

sudo cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.backup
gksudo gedit /etc/init/control-alt-delete.conf

Comment out start on control-alt-delete.

Advertisements

Posted on May 19, 2011, in Users and tagged , , , , . Bookmark the permalink. 2 Comments.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s