StupidityIndexOutOfBoundsException: Physical access at a meetup
The measures below give a reasonably secure solution in contexts when people have physical access to your Ubuntu machine, like unconferences, hackmeets, geekparties …
Disclaimer: This is not failproof. Nothing ever is. It doesn’t take much effort to pull out a LiveCD and bypass or read a password set on GRUB. Even if you do chmod it. GRUB can’t be stored on an encrypted partition. But people can only read the md5sum. And as far as I know it’s almost impossible to retain the password from a dirty md5 hash like the ones created by md5crypt (“dirty” means there are random characters inserted). If you also password protect BIOS settings and you don’t allow the machine to be booted other than via the hard disk, the combination is a reasonably secure solution. Of course, someone can steal your machine and mount the hard disk on another machine …
When booting-up the computer into an Installation or Live CD, for some installations users can “rescue”:
Set HDD first in BIOS sequence, so an Installation Disk cannot be used to gain access as root user. Also set a password for BIOS so that users cannot change the boot sequence. Phoenix is widely spread. Get in with F2, and find the Security settings. No need to set a password for every boot-up, just for editing the BIOS.
Note: Most machines these days offer a “Hard Drive Lock” password option in BIOS. Even if your HDD is moved to a different computer, or a liveCD is used, the data still cannot be read from the drive.
Also, at boot-up, if the GRUB menu is hidden, ‘Esc’ can be used to enter the GRUB menu, select a recovery mode kernel, and enter the machine. To prevent this set a GRUB password, and ensure interactive editing for GRUB menu is disabled.
Karmic until Natty Narwhal
Karmic onward uses Grub2 unless you upgraded from a previous version of Ubuntu and have not manually upgraded to Grub2. Go into grub:
grub grub> md5crypt Password: ****** (ubuntu) Encrypted: $1$AA1fzek.0$DBVjUcT1Mpod4u/TAj1 (encrypted password) grub> quit
If you already set a GRUB password, get it:
grub-md5-crypts Password: Retype password: $1$AA1fzek.0$DBVjUcT1Mpod4u/TAj1
In both cases, back up your configuration file, then open de conf file:
sudo cp /boot/grub/menu.lst /boot/grub/menu.lst_backup gksudo gedit /boot/grub/menu.lst
If you have just set or changed the GRUB password add or adapt the password:
... # password topsecret password --md5 $1$AA1fzek.0$DBVjUcT1Mpod4u/TAj1 ...
Now look for:
... title Ubuntu kernel x.x.x-x-386 (recovery mode) root (hd0,1) ...
and add lock between title and root:
... title Ubuntu kernel x.x.x-x-386 (recovery mode) lock root (hd0,1) ...
If lockalternative=false exists, set it to lockalternative=true.
Save the file. Now your GRUB console will need a password for being edited, and recovery modes don’t work unless the password is given. In proper paranoia mode, also prevent everyone except root from reading /boot/grub/menu.lst by doing:
sudo chmod 600 /boot/grub/menu.lst
Eager for the new stuff, you may have upgraded to 11.04. Sorry, no GRUB. And if you were on a dual boot system, well, it aint working anyway. And not just GRUB. Likely your machine is frozen in GRUB.
Apparently the notion of test driven development has not reached all open source core development teams yet. It’s a GRUBBY slaughterhouse out there.
You can try:
sudo cp /etc/default/grub /etc/default/grub_backup gksudo gedit /etc/default/grub
Uncomment that line, and then run ‘update-grub’ to update /boot/grub/grub.cfg.
Limit your recall history to 100 lines and prevent Ctrl+Alt+Del from restarting your machine in console mode.
You can limit your history in the /etc/environment file. In Ubuntu, using profile files you have to use export to set the variables; the environment file doesn’t. And ~/.bashrc is executed for non-login shells.
sudo cp /etc/environment /etc/environment_backup gksudo gedit /etc/environment
Before Edgy Eft
sudo cp /etc/inittab /etc/inittab.backup gksudo gedit /etc/inittab
Comment out ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
Until Maverick Meerkat
In later versions than 6.10 /etc/event.d/ replaced /etc/inittab. Ubuntu refers to it as upstart.
sudo cp /etc/event.d/control-alt-delete /etc/event.d/control-alt-delete.backup gksudo gedit /etc/event.d/control-alt-delete
Comment out exec /sbin/shutdown -r now “Control-Alt-Delete pressed”
In Ubuntu 11.04 this requires a change in the /etc/init/control-alt-delete.conf file.
sudo cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.backup gksudo gedit /etc/init/control-alt-delete.conf
Comment out start on control-alt-delete.
- GRUB customizer app makes tweaking your bootloader a breeze (omgubuntu.co.uk)