Why isn't this security hole flagged during installations? I've been using Ubuntu for 8 years, and just noticed every default Ubuntu install I've done without encrypting the disk has simple filesystem access.
I’m assuming you consider the problem being that on a standard Ubuntu install, and in fact most Linux distros, it’s possible to get full root access by simple on the fly command line edition on Grub.
So let’s put it bluntly : you’re right. But that’s IMHO, of course.
It seems that in the Linux world, a fair share of people assume that if someone gets console access to the system, that system is already pirated, hence no need for additional security measures. I do have another take on this, and it seems that somehow the Grub developers do too, as it’s possible to password-protect Grub. All PC BIOS developers do have a similar take too, since I don’t know of a BIOS that’s not password-protectable either. Heck, even the Windows boot loader can’t be modified on the fly, that requires admin authentication.
The problem is that scripts generating the grub config don’t take into account password protection, so you have two options :
Option 1 gets old real quick. Option 2 by far has my preference ; that’s what I did and it works well.
Unfortunately it’s getting late where I am and I must go to bed, but I felt the urge to start addressing this before the paint becomes dry. I will come back tomorrow to enter into more detail, but basically, the whole thing revolves around :
--unrestricted, so that you won’t have to enter the Grub password each and every time you just want to boot normally.