This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Re: root password ? Shock ! or is it not that bad ? From: Steve Borho <sborho@ststech.com> Date: Wed, 26 May 1999 17:39:09 -0500 On Wed, May 26, 1999 at 09:37:07PM +0000, Greg W wrote: > So my question is, how do we prevent someone from doing exactly this, and > this easily, I know physical access is the biggest threat, but this is just > way too easy, turn your back for 5 mins (or less) system compromised, it > also looks like there is no point on setting any read or access permissions > different to standard, and lilo would probably need to be left in this mode > to be able to recover from a simple networking mistake, config error. > > Simplest effective way? This thread pops up every month or so. (every time someone forgets their root password) Physical access == root access. You can make it difficult by: 1) password protecting lilo, removing boot prompt 2) password protecting bios 3) don't plug keyboards into your servers/lock the cases 4) removing other boot devices (floppies, cdrom, etc) But there is no real protection, especially with PC's. If you have data that must be safe, then you must have (at least) physical protection for the computer it's stored on. === Subject: Re: root password ? Shock ! or is it not that bad ? From: Gordon Messmer <yinyang@eburg.com> Date: Wed, 26 May 1999 15:51:15 -0700 Greg W wrote: > But now I realize that anyone with physical access can easily compromise a > system, therefore the network, and they only have to have been on this list > to realize it (or know what linux single does). > > So my question is, how do we prevent someone from doing exactly this, and > this easily, I know physical access is the biggest threat, but this is just > way too easy, turn your back for 5 mins (or less) system compromised, it > also looks like there is no point on setting any read or access permissions > different to standard, and lilo would probably need to be left in this mode > to be able to recover from a simple networking mistake, config error. > > Simplest effective way? Sure: 1) Remove or comment 'ca::ctrlaltdel:/sbin/shutdown -t3 -r now' out of /etc/inittab: #ca::ctrlaltdel:/sbin/shutdown -t3 -r now Now root access is required to reboot or shutdown, except for those nasty buttons on the case, eh? 2) Restrict others from giving lilo options: image=/boot/vmlinuz-2.2.6-ac1 label=linux root=/dev/hdb3 read-only restricted password=A|<R4zee_P4$$ Now even people who shut the machine off (I disconnect all my reset buttons. They're much more fun to play with when they aren't connected) cant' give lilo options without knowing the password. No more "linux single" to worry about, except for boot floppies. 3) Disconnect your floppy drive. Who uses those anymore? Also (or), set your boot sequence in the BIOS to boot from IDE Master first and password protect the BIOS. Easy access is no longer so easy...Nifty tricks require removing the drive or resetting the CMOS (unless I'm wrong :) ===