Why is it possible to change the password of an admin user on linux?

Solution 1:

The passwords are meant to prevent access from outside (network, internet), and they accomplish it. However, physical access is root access.

Unless you're encrypting your entire partition, it's always possible to boot from an optical disc or a flash drive and gain access to all your files. This way, you can also modify the files that store the users' passwords.

However, you can choose to disable the recovery mode of you want to. Steps:

  1. Open /etc/default/grub in a text editor (with root privileges)

  2. Uncomment/add the line following line:

    GRUB_DISABLE_RECOVERY="true"
    
  3. Save the changes and run the following command:

    sudo update-grub
    

Solution 2:

If someone can physically touch your machine they can get in.

Easiest way, load linux on a usb drive and boot from the usb stick. Voila, you can view the native file system and make whatever changes you like.

Solution 3:

It will always be possible to change the root password. It can always happen that someone forgot it. You need physical access to the server (or console access when virtualized) to enter the GRUB recovery mode, so when you are already there you can take the whole server/desktop as well to pull out the HDD and do some forensics on it. Safety-wise it does not matter a lot.

You can always encrypt your disc if you want additional security. That will make recovery a lot harder.

Solution 4:

For grub 1 do the following:

  1. Open a command line and enter as root grub-md5-crypt

  2. You are being asked for a password and after confirming your password you will see a hashvalue which you copy to the clipboard

  3. Open your editor of choice and edit /boot/grub/menu.lst and add to the first line:

    password --md5 "Hashvalue"
    
  4. Safe the file. The hashvalue is the one you get from the command grub-md5-sum

For grub2 there is a tool which lets you setup this more easy http://sourceforge.net/projects/grubpass/ After installing just type:

  1. grubpass into the shell as root user. The program is pretty much self explanatory.

However the best way to protect your data from this kind of access is to use full disk encryptpion.