[techtalk] root passwd

Angela Nash Chick at the-nashes.net
Fri May 11 21:16:38 EST 2001


Also, if you want to disable this just edit your /etc/inittab and remove the
single user runlevel.  Or, put a password on the LILO prompt.  But remember,
I can get around that with a boot disk.  Like Red Hat said, use an
encryptable file system.  Just be careful and don't forget your root
password or get in a situation where you need to do disk recovery.

Jason

-----Original Message-----
From: Linda MacPhee-Cobb [mailto:prettyphysicslady at hotmail.com]
Sent: Friday, May 11, 2001 8:09 PM
To: techtalk at linuxchix.org
Subject: [techtalk] root passwd


Hi,

I've been informed this is a 'feature' not a 'flaw'..... sound like MS?


rom ljcobb Fri May 11 19:
                           40:05 2001
               Return-Path:
                           <alan at devserv.devel.redhat.com>
              Delivered-To:
                           ljcobb at localhost.localdomain
                  Received:
                           from localhost (localhost.localdomain 
[127.0.0.1]) by
                           localhost.localdomain (Postfix) with ESMTP id 
6D6965CF96 for
                           <ljcobb at localhost>; Fri, 11 May 2001 19:40:05 
-0400 (EDT)
                  Received:
                           from timestocome.com by localhost with POP3 
(fetchmail-5.5.2)
                           for ljcobb at localhost (single-drop); Fri, 11 May 
2001 19:40:05
                           -0400 (EDT)
                  Received:
                           from devserv.devel.redhat.com 
(nat-pool-meridian.redhat.com
                           [199.183.24.200]) by chloris.host4u.net 
(8.8.5/8.8.5) with ESMTP
                           id SAA23996 for <linda at timestocome.com>; Fri, 11 
May 2001
                           18:26:25 -0500
                  Received:
                           (from alan at localhost) by devserv.devel.redhat.com
                           (8.11.0/8.11.0) id f4BNaI217904; Fri, 11 May 2001

19:36:18 -0400
                     From:
                           Alan Cox <alan at redhat.com>
               Message-ID:
                           
<200105112336.f4BNaI217904 at devserv.devel.redhat.com>
                   Subject:
                           Re: root password security flaw
                        To:
                           linda at timestocome.com (Linda MacPhee-Cobb)
                      Date:
                           Fri, 11 May 2001 19:36:18 -0400 (EDT)
                       CC:
                           alan at redhat.com (Alan)
               In-Reply-To:
                           <3AFC7525.B41409B0 at timestocome.com> from "Linda
                           MacPhee-Cobb" at May 11, 2001 07:26:29 PM
                  X-Mailer:
                           ELM [version 2.5 PL3]
             MIME-Version:
                           1.0
             Content-Type:
                           text/plain; charset=us-ascii
Content-Transfer-Encoding:
                           7bit
                   Sender:
                           alan at devserv.devel.redhat.com
                    Status:
           X-Mozilla-Status:
                           8013
          X-Mozilla-Status2:
                           00000000
                   X-UIDL:
                           3ab240ad0000028e




> >      Ok, Now how do you do it.
> >      1: first think up a new password.
> >      2: reboot the machine
> >      3: At lilo prompt type Linux 1
> >      4: at the prompt after you are in type passwd root
> >      5: enter your new password twice.
> >      6: Reboot like normal
> > > **************
> > I tried it on both my and my husband's machines and trivially gained
> > root control.


Well its a PC. So lets firstly look at this objectively
Got a screwdriver. Then you have root access.
Floppy driver and the machine boots floppy first. Then you have root access

In certain environments you dont want people doing this. Lilo allows you to
stop people adding options to the lilo prompt in such cases. Of course a
screwdriver and/or axe still work very well but there are ways to deal
with that in things like libraries.

So no it isnt a bug. Its a configuration item. If you are worried about 
people
with screwdrivers (and in corporate data cases you might be..) then you end
up needing hard encryption on all disk contents so even if the bad guys
steal the disk they cant access the data without the decryption key

I suspect however the password options on lilo are what you want.

Alan
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com


_______________________________________________
techtalk mailing list
techtalk at linuxchix.org
http://www.linux.org.uk/mailman/listinfo/techtalk




More information about the Techtalk mailing list