[techtalk] root passwd
Linda MacPhee-Cobb
prettyphysicslady at hotmail.com
Fri May 11 20:08:39 EST 2001
Hi,
I've been informed this is a 'feature' not a 'flaw'..... sound like MS?
rom ljcobb Fri May 11 19:
40:05 2001
Return-Path:
<alan at devserv.devel.redhat.com>
Delivered-To:
ljcobb at localhost.localdomain
Received:
from localhost (localhost.localdomain
[127.0.0.1]) by
localhost.localdomain (Postfix) with ESMTP id
6D6965CF96 for
<ljcobb at localhost>; Fri, 11 May 2001 19:40:05
-0400 (EDT)
Received:
from timestocome.com by localhost with POP3
(fetchmail-5.5.2)
for ljcobb at localhost (single-drop); Fri, 11 May
2001 19:40:05
-0400 (EDT)
Received:
from devserv.devel.redhat.com
(nat-pool-meridian.redhat.com
[199.183.24.200]) by chloris.host4u.net
(8.8.5/8.8.5) with ESMTP
id SAA23996 for <linda at timestocome.com>; Fri, 11
May 2001
18:26:25 -0500
Received:
(from alan at localhost) by devserv.devel.redhat.com
(8.11.0/8.11.0) id f4BNaI217904; Fri, 11 May 2001
19:36:18 -0400
From:
Alan Cox <alan at redhat.com>
Message-ID:
<200105112336.f4BNaI217904 at devserv.devel.redhat.com>
Subject:
Re: root password security flaw
To:
linda at timestocome.com (Linda MacPhee-Cobb)
Date:
Fri, 11 May 2001 19:36:18 -0400 (EDT)
CC:
alan at redhat.com (Alan)
In-Reply-To:
<3AFC7525.B41409B0 at timestocome.com> from "Linda
MacPhee-Cobb" at May 11, 2001 07:26:29 PM
X-Mailer:
ELM [version 2.5 PL3]
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii
Content-Transfer-Encoding:
7bit
Sender:
alan at devserv.devel.redhat.com
Status:
X-Mozilla-Status:
8013
X-Mozilla-Status2:
00000000
X-UIDL:
3ab240ad0000028e
> > Ok, Now how do you do it.
> > 1: first think up a new password.
> > 2: reboot the machine
> > 3: At lilo prompt type Linux 1
> > 4: at the prompt after you are in type passwd root
> > 5: enter your new password twice.
> > 6: Reboot like normal
> > > **************
> > I tried it on both my and my husband's machines and trivially gained
> > root control.
Well its a PC. So lets firstly look at this objectively
Got a screwdriver. Then you have root access.
Floppy driver and the machine boots floppy first. Then you have root access
In certain environments you dont want people doing this. Lilo allows you to
stop people adding options to the lilo prompt in such cases. Of course a
screwdriver and/or axe still work very well but there are ways to deal
with that in things like libraries.
So no it isnt a bug. Its a configuration item. If you are worried about
people
with screwdrivers (and in corporate data cases you might be..) then you end
up needing hard encryption on all disk contents so even if the bad guys
steal the disk they cant access the data without the decryption key
I suspect however the password options on lilo are what you want.
Alan
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
More information about the Techtalk
mailing list