Re: require root passwd for single user mode login?


Subject: Re: require root passwd for single user mode login?
From: Kyle Wheeler (kw837498@oak.cats.ohiou.edu)
Date: Tue Aug 29 2000 - 11:02:07 MDT


At 9:50 AM -0400 8/29/00, Hollis R Blanchard wrote:
>I actually found out the reason for this. The idea is that if they're at
>console, they can shut it down anyways. And 'halt' is clearly a better
>solution than pulling the plug.

I suppose - but that's only if it's a standard computer in someone's
office. What if it's a computer that's part of a kiosk (or something
similar) where physically disconnecting power is much more difficult?
Root password should still be required. (once they have it rebooting,
they can use interactive startup to disable whatever goes on).
Perhaps there should be different policies for reboot and for halt?
Root for reboot, user for halt, root for shutdown?

>I'm sure you know it's a commonly accepted tenet of security that if you
>have physical access to the machine you can do whatever you want...
>there's no reason to make everything really restrictive if all you have
>to do is boot from a CD to circumvent it.

Heh - if you left a CD in there.
Yes, it is a commonly accepted tenet of security that physical is
everything. HOWEVER, sometimes you need to secure a machine that has
public physical access (read: kiosk, point-of-sale-system, etc.).
Now, you can remove the CD-ROM, floppy, zip, whatever - and magically
it can't boot from removeable media. You can secure the power-supply
so that nothing short of a blowtorch or a power-outage (by cutting or
shutting down the main line) for more than an hour (or longer -
battery backups) could bring it down. We really ought to - in that
case - be at least capable of making "shutdown", "halt", and "reboot"
a little more secure, without needing to hack too much sourcecode.

>I hope you understand the situation better now.

A little.

>Incidentally, I also discovered why Red Hat creates a group for every user.
>There really is a reason...

Ooh, now I'm curious. What is it?

~Kyle Wheeler

-- 
---
I'm as fond of my body as anyone, but if I can be 200 with a body of 
silicon, I'll take it.
--Danny Hillis



This archive was generated by hypermail 2a24 : Tue Aug 29 2000 - 11:07:17 MDT