[techtalk] root passwd

James Sutherland jas88 at cam.ac.uk
Sat May 12 09:00:09 EST 2001 

On Fri, 11 May 2001, Daniel Manrique wrote:

> > I've been informed this is a 'feature' not a 'flaw'..... sound like MS?
>
> No, it doesn't.
>
> The "linux single" or "linux 1" "security flaw" gets "spotted"
> continuously, by people who don't realize that, given physical access to
> the computer system, there's virtually *NO* way to protect from some kind
> of intrusion or denial of service.

Having said that, it's often useful to make it hard to get root access,
even with physical access: the student lab machines here are locked down
in that way, for example.

1. Set the BIOS to boot from HDD only, and set a BIOS password
2. Set up LILO with a password required to change parameters
3. Make sure the PC cases are padlocked and/or alarmed so people can't
reset the BIOS.
4. Make sure users can't get into DOS, which could then reset the BIOS.
(NT and Linux will block this, DOS won't.)

> Imagine for a moment Linux didn't have this "flaw". It's just as easy for
> me to walk in with a Linux boot floppy of any sort, reboot the computer,
> boot using the aforementioned disk, mount the root filesystem, and
> basically have my way with the system.

That would only work IF the machine allows floppy booting; with this
disabled, and a BIOS password set, you'd need to open the lid and short
out the CMOS reset jumper - difficult when the case is alarmed and
padlocked shut!

> That's why having your servers in a *physically secure* facility is
> important when you're concerned about security. It doesn't matter if I
> have the most secure operating system ever created; it doesn't matter if
> the computer itself is practically locked in a safe and there's no way for
> me to access the keyboard or the reset or power buttons in any way. It
> would suffice for me to axe the power cord to effectively perform a DoS
> attack on the system.

Absolutely: if untrusted people have physical access to your critical
systems, you've already done something *VERY* wrong security-wise!


James.
-- 
A person who is more than casually interested in computers should be well
schooled in machine language, since it is a fundamental part of a computer.
		-- Donald Knuth

More information about the Techtalk mailing list