Keystrokes :.

Having physical access to a machine, in many common cases means be able to get a root access to the installed system. This is widely known for some version of MS Windows, I don’t know much about Windows 7 right now, but here we have a video from guys at Offensive Security where windows vista is owned just booting backtrack and replacing C:\Windows\System32\Utilman.exe with cmd.exe, and weak passwords encoded to LM and NTLM hashes can be easily cracked with Ophcrack liveCD or any other live system and large rainbow tables. So people switching to linux may think their systems are more secure now, and bad guys won’t be able to access them if they leave the room for five minutes. Unfortunately that isn’t true for what concern physical access to default-like installations. When linux machines are powered on, a bootloader is launched and it do load the initrd if any and the kernel in memory, with a set of given options. Common bootloader such GRUB allow the user to choose among different entries, that may refer to different kernels or different option sets. By default, nothing prevent those entries from being edited. The following video shows how anyone with physical access to the machine can edit an entry to instruct the kernel in running a shell e.g. instead of the init daemon, without being asked for any password, and gaining this way root access to the machine. It’s also shown how to deny this kind of action, by setting up a password protection for all the entries.

Protecting grub entries anyway is just one little step to decrease risks coming from untrusted physical access. Boot from a LiveCD or external drive will give access to your filesystem easily. You can avoid this by denying the boot from CD-Roms and other devices in the BIOS settings, then setting up a password for the BIOS configuration. But BIOS configuration can be reseted at least removing the battery from the machine motherboard, and anyway someone can still extract your hard drive and mount it on another system. If you care about that, your solution may just be the encryption of your whole partitions, so that a passphrase will be required (every time) when they are mounted.