From owner-freebsd-security@FreeBSD.ORG Tue May 15 09:53:25 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AF08106564A for ; Tue, 15 May 2012 09:53:25 +0000 (UTC) (envelope-from vahid@vahid-shokouhi.net) Received: from cp12-112.cp.c4d.privatedns.biz (cp12-110.cp.c4d.privatedns.biz [209.236.116.110]) by mx1.freebsd.org (Postfix) with ESMTP id 040BA8FC08 for ; Tue, 15 May 2012 09:53:25 +0000 (UTC) Received: from localhost ([127.0.0.1]:51216 helo=vahid-shokouhi.net) by cp12-112.cp.c4d.privatedns.biz with esmtpa (Exim 4.77) (envelope-from ) id 1SUERQ-0004uH-GZ; Tue, 15 May 2012 13:53:16 +0400 MIME-Version: 1.0 Date: Tue, 15 May 2012 13:53:16 +0400 From: Vahid Shokouhi To: mahdieh salamat In-Reply-To: References: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> <40e269c44ec592d0ce3e2d85fd8a032d@vahid-shokouhi.net> Message-ID: <498a30cb02045f5cc24747b535581a61@vahid-shokouhi.net> X-Sender: vahid@vahid-shokouhi.net User-Agent: Roundcube Webmail/0.7.1 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cp12-112.cp.c4d.privatedns.biz X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - vahid-shokouhi.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Freebsd Security Subject: Re: Fwd: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2012 09:53:25 -0000 Hi The mode that you mentioned only has some basic commands to bring up your machine somehow customized. If you worry about the result of misusing this mode by some one else, note that running command(s) in this mode result in temporary changes only in THIS boot; which means you can remove/undo changes by rebooting your machine. There is no direct way to jump over this mode. But you can modify /BOOT/LOADER.CONF in "_autoboot_delay=" _part_. _this parameter determines the wait time in second before booting immediately. It seems that if we set this value to "0"; then it could pass this part and can not be interrupted; but for some historical reason, it is possible to interrupt auto-boot even with "0". So, it is recommended to set this value to "-1". You can make some changes to some file or using some tool to customize this menu behavior, but the following solution seems easier. Regards V.Sh On 2012-05-15 12:40, mahdieh salamat wrote: > Thanks all,I have an other question.certainly you see this message in > startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for > command prompt." > after see it if press any key you enter to an other mode and if you type > '?' you can see the lists of commands.I want to remove this mode,It's so > important that a user can't accss to this mode. > Who can help me? > Thanks > > > > ---------- Forwarded message ---------- > From: mahdieh salamat > Date: Mon, May 14, 2012 at 4:29 AM > Subject: Re: Single user mode > To: Vahid Shokouhi > > > I really thank you,it's a really perfect forum,I searched more and more to > find a persian website about FreeBSD,now i find it.Thank you > > > On Mon, May 14, 2012 at 2:33 AM, Vahid Shokouhi > wrote: > >> You are most welcome. >> >> [I don't know if you know this place, assuming you don't know, I let you >> know] : >> >> www.imenpardis.com >> >> This site which is actually for "Imen Pardis" company, is owned by >> Mr.Babak Farrokhi, who is a famous port-maintainer in freeBSD project (The >> only person in the middle east), and author of a great book on FreeBSD >> administration. He is a guru in all Unix family: Unix, Solaris, BDS, Linux >> ; you can google his name and get some info about him. He is a well-known >> Unix expert in the world. >> You can join its forum and can ask your question and also help others >> solve their problem. I don't know all people in the forum, but as >> Mr.Farrokhi is always supportive and available to answer your question, you >> can get the right answer from the right person. If I know one word in >> FreeBSD, he knows thousands.. >> >> Regards >> >> >> >> >> >> >> >> >> >> On 2012-05-14 13:08, mahdieh salamat wrote: >> >>> thanks dear vahid,it was so useful for me.I will edit /etc/tty. >>> Thanks alot >>> >>> On Sun, May 13, 2012 at 11:58 PM, Vahid Shokouhi >>> wrote: >>> >>> Hi >>>> >>>> Well, there are 2 approaches to any machine security. First, You >>>> have a fresh machine and it's supposed to be only for you; second, >>>> you are admin of a machine which others have access to machine for >>>> their work purpose. Your question seems close to first scenario. >>>> >>>> As I wrote before, yes it's possible (by default) that any user >>>> gain access to your machine resources in single-user mode; so we >>>> talked about editing /etc/tty. The other place which needs to be >>>> take caring of, is /ETC/LOGIN.ACCESS ; every time a user wants to >>>> >>>> log in, FreeBSD check this files and it's rules. By default there >>>> >>> is >>> >>>> NO rule defined which means NO restriction to log in. You can >>>> >>> config >>> >>>> this file in 2 ways : [like switch and router's ACL] ; you can use >>>> "_permit-based_" rules - in which you first permit specific user(s) >>>> and then deny others. And you can _"deny-based_" rules - in which >>>> >>>> you deny ALL and then permit some one. You should be familiar with >>>> syntax and format of this file, for example it uses "+" to give >>>> access and "-" to reject access. For example : >>>> >>>> >>>> >>>> The following is "permit-based"; it gives "wheel" group console >>>> access and rejects the others (ALL). note the "+" & "-" >>>> >>>> +:WHEEL: CONSOLE >>>> -:ALL:CONSOLE >>>> >>>> >>>> The following is "deny-based". note the syntax that how "permit" is >>>> given: >>>> >>>> -:ALL EXCEPT WHEEL: CONSOLE [EXCEPT is permit definer] >>>> >>>> >>>> >>>> >>>> The second format is more preferred and recommended it is both >>>> short and somehow more secure. >>>> >>>> >>>> >>>> >>>> >>>> Anyway, this is for 1st situation that the machine is only yours; >>>> and you can protect your machine with implying some physical-access >>>> rules. But in real world you have to deal the second condition. >>>> >>> Then >>> >>>> you have to focus on many things: limiting users to use any >>>> >>> resource >>> >>>> by editing /ETC/LOGIN.CONF , the permission of files, the flags, >>>> >>>> clearing your machine from unknown/unnecessary users (daemons), >>>> using jail and so on.. >>>> >>>> >>>> >>>> I hope it is helpful for you and give you some hints on securing. >>>> >>>> >>>> >>>> If there is any question, please feel free and don't hesitate to >>>> ask. >>>> >>>> >>>> >>>> Regards >>>> >>>> Vahid Shokouhi >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 2012-05-14 09:53, mahdieh salamat wrote: >>>> >>>>> Thanks for yor help, it was so useful, I want to know that when a >>>>> >>>> user >>>> >>>>> is using a machine and he/she doesn't has root's password, can >>>>> >>>> he/she >>>> >>>>> access to it? for example by single user mode or other modes? >>>>> >>>>> On Sun, May 13, 2012 at 6:33 AM, Vahid Shokouhi >>>>> wrote: >>>>> >>>>> Hi >>>>>> Yes, it is possible to gain access via single-user, but >>>>>> single-user mode is for root user to configure something as he >>>>>> likes; but if the machine is accessible for others, you need to >>>>>> >>>>> edit >>>>> >>>>>> "/etc/tty" to prompt for a password in single user mode, >>>>>> >>>>> although >>>> >>>>> keep in mind anyone with physical access to the machine can >>>>>> >>>>> still >>>> >>>>> retrieve your data through various methods. >>>>>> in /etc/tty note "secure" term which actually has different >>>>>> meaning. It means that you consider, for example "console" as a >>>>>> secure mode; so you have to change it to "insecure". >>>>>> After rebooting and entering single user mode, you will be >>>>>> prompted for a password to get to the shell prompt. >>>>>> >>>>>> On 2012-05-13 17:04, mahdieh salamat wrote: >>>>>> >>>>>> Hi everybody. I have a question about single user mode in >>>>>>> FreeBSD. Security >>>>>>> is so important for me. I want to know that if someone don't >>>>>>> know my root's >>>>>>> password can access to it? In other words in our FreeBSD we >>>>>>> don't have >>>>>>> FreeBSD boot loader menu, we delete it for our users becouse of >>>>>>> security. I >>>>>>> want to know is there any other way except boot loader menu for >>>>>>> our user to >>>>>>> access to our root's password? >>>>>>> Thanks >>>>>>> ______________________________**_________________ >>>>>>> freebsd-security@freebsd.org [1] mailing list >>>>>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security[2] >>>>>>> To unsubscribe, send any mail to >>>>>>> "freebsd-security-unsubscribe@**freebsd.org[3]" >>>>>>> >>>>>> >>>>> >>>>> >>>>> Links: >>>>> ------ >>>>> [1] mailto:freebsd-security@**freebsd.org >>>>> [2] http://lists.freebsd.org/**mailman/listinfo/freebsd-**security >>>>> [3] mailto:freebsd-security-**unsubscribe@freebsd.org >>>>> [4] mailto:vahid@vahid-shokouhi.**net >>>>> >>>> >>>> >>>> >>> >>> >>> >>> Links: >>> ------ >>> [1] mailto:vahid@vahid-shokouhi.**net >>> >> >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"