Re: Security Question: require root passwd for single user mode login?

Subject: Re: Security Question: require root passwd for single user mode login?
From: Michael A. Peters (Moonglue@141.com )
Date: Mon Aug 28 2000 - 15:24:25 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Michael A. Peters: "Re: building a new kernel"
• Previous message: Kent Radek: "building a new kernel"
• Next in thread: Graham Leggett: "Re: Security Question: require root passwd for single user modelogin?"

Yes, it is possible, and it should be that way.
Debian does it that way. SuSE does it that way. Linux From Scratch
does it that way.

Its better that way, too.

NOT requiring a password to boot single user is a Red Hat thing, and
it sucks for physical security.

On intel platform you can password protect lilo to prevent someone
else from booting single, but- um, you can't do that on Mac. Not with
BootX anyway.

Also, the user being able to shutddown or reboot from console is also
a Red Hat thing. They do it with pam to verify that the user is at
the console, but that's stupid! If I have a user that I allow to log
in, and I go to lunch, what the F* is to stop them from bringing up a
console, loging in, rebooting, booting single, and rooting my machine?

Sure, one can password protect lilo (on x86 anyway) but one should
NOT assume secuirity of one program to provide security for a stupid
way to do something. There is a company in Redmond that already does
that.

Just because Macs don't have a good way to prevent booting off
alternate media (such as CDROM) does not mean its local security
should be shitty in other areas. Besides, I suspect RS/6000 and other
platforms linuxppc runs on has better physical security.

The user should NOT be able to log in w/o password when booting
single. Only root has any business being single, therefore the person
booting single should have the root password.

The user has NO BUSINESS shutting down a machine. Only root should
have that privaledge. Therefore, only root should be able to do it.

pam was created for NIS. It has NO BUSINESS being used as a method to
allow users to halt or reboot a machine if they are at the console.
If a hole was ever found in pam, it would be expoited with DoS
attacks before you could spell script kitty.

I highly advise both LinuxPPC and Yellow Dog Linux to stray from Red
Hat's way when it comes to booting single or allowing users to reboot
a machine.

That would be a GOOD change.

What if the system is screwed up?
Boot from CD. Slackware's CD is particularly good for that on x86
(and rumor is a ppc port is in the works). The LinuxPPC 2000 CD is
good for that too (right click to bring up an xterm, and you can then
mount your root filesystem).

>Hi all,
>
>I have a security question. Is it possible that when the machine is
>booted in single user mode that it -does- ask for root's password, as
>opposed to just automatically logging in?
>
>Any information would be greatly appreciated!
>
>(Part of me just wondered if it's something simple with the passwd
>command, but the rest doubts it.)
>
>Thanks much,
>
>Jason Haas, jhaas@linuxppc.com
>Head of Customer Support, Co-webmaster, marketing guy, insert title here,
>LinuxPPC Inc, http://www.linuxppc.com
>
>
>** Sent via the linuxppc-user mail list. See http://lists.linuxppc.org/

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Michael A. Peters-- http://24.5.29.77/Linux_Pages/
                                http://www.omnilinux.com/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  

• Next message: Michael A. Peters: "Re: building a new kernel"
• Previous message: Kent Radek: "building a new kernel"
• Next in thread: Graham Leggett: "Re: Security Question: require root passwd for single user modelogin?"

This archive was generated by hypermail 2a24 : Tue Aug 29 2000 - 00:29:03 MDT