Easy root access with an install disk booting

On a security point of view, Linux is all about rights partitioning (users can have different home directories, files access rights are methodically set and so on...).
However, one only needs to insert a rescue/install disk to be root, mount everything (s)he needs, chroot instantly etcetera.
So may I ask why bothers with the rights then? Sorry, the question is surely simplistic but I think you get my point
Did I miss something? Do I need to understand that to have a secure system I must deactivate booting from an external drive/disk?
Thank you.

Quote:

Originally Posted by l0f4r0 On a security point of view, Linux is all about rights partitioning (users can have different home directories, files access rights are methodically set and so on...). However, one only needs to insert a rescue/install disk to be root, mount everything (s)he needs, chroot instantly etcetera. So may I ask why bothers with the rights then? Sorry, the question is surely simplistic but I think you get my point Did I miss something? Do I need to understand that to have a secure system I must deactivate booting from an external drive/disk? Thank you.

That's why I encrypt my "home" partition, so even if you did try to mount it with a "live" system, you would still need the password for the encryption to decrypt it.

Otherwise yeah, it's pretty easy to mount the partitions and copy everything off of it. I don't bother encrypting the "root" partition, given that you could just download the system itself off of the Internet anyway.

If I understood your question/post correctly...

Also, consider that "only...insert a rescue/install disk" requires physical access to the hardware. Restriction of physical access in a business environment is (should be) limited to those who already have root access.

Given that "normal" users won't have that access, the rights of which you speak are used to manage the (usually necessary) "separation of powers"

actually I work on a lot of remote and virtual systems. There is no any way (to anyone) to insert a rescue/install disk....

That means that it's somewhat incorrect to think that data are securely partitioned (i.e. cannot be accessed by normal users) in a personal environment (for example if I create different /home directories for my parents, brother, sister etc on the shared home computer)?

If they can start another system and mount the partitions on that computer with root permissions, and those partitions are not encrypted (or they know the encryption password for those partitions if they are encrypted), then yes, they could still access the data on said partitions.

You can also normally set a password on the BIOS/UEFI "boot menu" so they can't start another system unless they know that password.

Quote:

Originally Posted by l0f4r0 That means that it's somewhat incorrect to think that data are securely partitioned (i.e. cannot be accessed by normal users) in a personal environment (for example if I create different /home directories for my parents, brother, sister etc on the shared home computer)?

If any of those family members are not root but knowledgeable enough to use a rescue disk then yes, somewhat incorrect...but that's pretty much the primary condition.

If none are such, and not allowed sudo, then the data are securely partitioned, AFAIK.

Quote:

Originally Posted by jsbjsb001 You can also normally set a password on the BIOS/UEFI "boot menu" so they can't start another system unless they know that password.

Ok, thanks for this countermeasure

Quote:

Originally Posted by scasey If any of those family members are not root but knowledgeable enough to use a rescue disk then yes, somewhat incorrect...but that's pretty much the primary condition. If none are such, and not allowed sudo, then the data are securely partitioned, AFAIK.

Knowledge is power then