From owner-freebsd-security@FreeBSD.ORG Tue May 15 08:57:21 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A06E9106566B for ; Tue, 15 May 2012 08:57:21 +0000 (UTC) (envelope-from wout@canodus.be) Received: from mail1.canodus2.canodus.be (mail1.canodus2.canodus.be [83.149.89.9]) by mx1.freebsd.org (Postfix) with ESMTP id 3B11A8FC08 for ; Tue, 15 May 2012 08:57:21 +0000 (UTC) Received: by mail1.canodus2.canodus.be (Postfix, from userid 65534) id 6DCBA32AD00; Tue, 15 May 2012 10:51:59 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail1.canodus2.canodus.be X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable version=3.3.2 Received: from [192.168.1.131] (94-224-50-199.access.telenet.be [94.224.50.199]) by mail1.canodus2.canodus.be (Postfix) with ESMTPSA id 1DC2332AC85; Tue, 15 May 2012 10:51:53 +0200 (CEST) From: Wout =?ISO-8859-1?Q?Decr=E9?= To: mahdieh salamat In-Reply-To: References: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> <40e269c44ec592d0ce3e2d85fd8a032d@vahid-shokouhi.net> Content-Type: text/plain; charset="UTF-8" Organization: Canodus Date: Tue, 15 May 2012 10:52:54 +0200 Message-ID: <1337071974.2352.1.camel@debian.wout-thinkpad> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 15 May 2012 11:11:26 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Fwd: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2012 08:57:21 -0000 On Tue, 2012-05-15 at 01:40 -0700, mahdieh salamat wrote: > Thanks all,I have an other question.certainly you see this message in > startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for > command prompt." > after see it if press any key you enter to an other mode and if you type > '?' you can see the lists of commands.I want to remove this mode,It's so > important that a user can't accss to this mode. Set autoboot_delay="-1" in /boot/loader.conf. See /boot/defaults/loader.conf for more information. > Who can help me? > Thanks > > > > ---------- Forwarded message ---------- > From: mahdieh salamat > Date: Mon, May 14, 2012 at 4:29 AM > Subject: Re: Single user mode > To: Vahid Shokouhi > > > I really thank you,it's a really perfect forum,I searched more and more to > find a persian website about FreeBSD,now i find it.Thank you > > > On Mon, May 14, 2012 at 2:33 AM, Vahid Shokouhi wrote: > > > You are most welcome. > > > > [I don't know if you know this place, assuming you don't know, I let you > > know] : > > > > www.imenpardis.com > > > > This site which is actually for "Imen Pardis" company, is owned by > > Mr.Babak Farrokhi, who is a famous port-maintainer in freeBSD project (The > > only person in the middle east), and author of a great book on FreeBSD > > administration. He is a guru in all Unix family: Unix, Solaris, BDS, Linux > > ; you can google his name and get some info about him. He is a well-known > > Unix expert in the world. > > You can join its forum and can ask your question and also help others > > solve their problem. I don't know all people in the forum, but as > > Mr.Farrokhi is always supportive and available to answer your question, you > > can get the right answer from the right person. If I know one word in > > FreeBSD, he knows thousands.. > > > > Regards > > > > > > > > > > > > > > > > > > > > On 2012-05-14 13:08, mahdieh salamat wrote: > > > >> thanks dear vahid,it was so useful for me.I will edit /etc/tty. > >> Thanks alot > >> > >> On Sun, May 13, 2012 at 11:58 PM, Vahid Shokouhi > >> wrote: > >> > >> Hi > >>> > >>> Well, there are 2 approaches to any machine security. First, You > >>> have a fresh machine and it's supposed to be only for you; second, > >>> you are admin of a machine which others have access to machine for > >>> their work purpose. Your question seems close to first scenario. > >>> > >>> As I wrote before, yes it's possible (by default) that any user > >>> gain access to your machine resources in single-user mode; so we > >>> talked about editing /etc/tty. The other place which needs to be > >>> take caring of, is /ETC/LOGIN.ACCESS ; every time a user wants to > >>> > >>> log in, FreeBSD check this files and it's rules. By default there > >>> > >> is > >> > >>> NO rule defined which means NO restriction to log in. You can > >>> > >> config > >> > >>> this file in 2 ways : [like switch and router's ACL] ; you can use > >>> "_permit-based_" rules - in which you first permit specific user(s) > >>> and then deny others. And you can _"deny-based_" rules - in which > >>> > >>> you deny ALL and then permit some one. You should be familiar with > >>> syntax and format of this file, for example it uses "+" to give > >>> access and "-" to reject access. For example : > >>> > >>> > >>> > >>> The following is "permit-based"; it gives "wheel" group console > >>> access and rejects the others (ALL). note the "+" & "-" > >>> > >>> +:WHEEL: CONSOLE > >>> -:ALL:CONSOLE > >>> > >>> > >>> The following is "deny-based". note the syntax that how "permit" is > >>> given: > >>> > >>> -:ALL EXCEPT WHEEL: CONSOLE [EXCEPT is permit definer] > >>> > >>> > >>> > >>> > >>> The second format is more preferred and recommended it is both > >>> short and somehow more secure. > >>> > >>> > >>> > >>> > >>> > >>> Anyway, this is for 1st situation that the machine is only yours; > >>> and you can protect your machine with implying some physical-access > >>> rules. But in real world you have to deal the second condition. > >>> > >> Then > >> > >>> you have to focus on many things: limiting users to use any > >>> > >> resource > >> > >>> by editing /ETC/LOGIN.CONF , the permission of files, the flags, > >>> > >>> clearing your machine from unknown/unnecessary users (daemons), > >>> using jail and so on.. > >>> > >>> > >>> > >>> I hope it is helpful for you and give you some hints on securing. > >>> > >>> > >>> > >>> If there is any question, please feel free and don't hesitate to > >>> ask. > >>> > >>> > >>> > >>> Regards > >>> > >>> Vahid Shokouhi > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> On 2012-05-14 09:53, mahdieh salamat wrote: > >>> > >>>> Thanks for yor help, it was so useful, I want to know that when a > >>>> > >>> user > >>> > >>>> is using a machine and he/she doesn't has root's password, can > >>>> > >>> he/she > >>> > >>>> access to it? for example by single user mode or other modes? > >>>> > >>>> On Sun, May 13, 2012 at 6:33 AM, Vahid Shokouhi > >>>> wrote: > >>>> > >>>> Hi > >>>>> Yes, it is possible to gain access via single-user, but > >>>>> single-user mode is for root user to configure something as he > >>>>> likes; but if the machine is accessible for others, you need to > >>>>> > >>>> edit > >>>> > >>>>> "/etc/tty" to prompt for a password in single user mode, > >>>>> > >>>> although > >>> > >>>> keep in mind anyone with physical access to the machine can > >>>>> > >>>> still > >>> > >>>> retrieve your data through various methods. > >>>>> in /etc/tty note "secure" term which actually has different > >>>>> meaning. It means that you consider, for example "console" as a > >>>>> secure mode; so you have to change it to "insecure". > >>>>> After rebooting and entering single user mode, you will be > >>>>> prompted for a password to get to the shell prompt. > >>>>> > >>>>> On 2012-05-13 17:04, mahdieh salamat wrote: > >>>>> > >>>>> Hi everybody. I have a question about single user mode in > >>>>>> FreeBSD. Security > >>>>>> is so important for me. I want to know that if someone don't > >>>>>> know my root's > >>>>>> password can access to it? In other words in our FreeBSD we > >>>>>> don't have > >>>>>> FreeBSD boot loader menu, we delete it for our users becouse of > >>>>>> security. I > >>>>>> want to know is there any other way except boot loader menu for > >>>>>> our user to > >>>>>> access to our root's password? > >>>>>> Thanks > >>>>>> ______________________________**_________________ > >>>>>> freebsd-security@freebsd.org [1] mailing list > >>>>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security[2] > >>>>>> To unsubscribe, send any mail to > >>>>>> "freebsd-security-unsubscribe@**freebsd.org[3]" > >>>>>> > >>>>> > >>>> > >>>> > >>>> Links: > >>>> ------ > >>>> [1] mailto:freebsd-security@**freebsd.org > >>>> [2] http://lists.freebsd.org/**mailman/listinfo/freebsd-**security > >>>> [3] mailto:freebsd-security-**unsubscribe@freebsd.org > >>>> [4] mailto:vahid@vahid-shokouhi.**net > >>>> > >>> > >>> > >>> > >> > >> > >> > >> Links: > >> ------ > >> [1] mailto:vahid@vahid-shokouhi.**net > >> > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"