Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Feb 2005 13:49:48 -0500
From:      epilogue <epilogue@allstream.net>
To:        Gert Cuykens <gert.cuykens@gmail.com>
Cc:        Chris Hodgins <chodgins@cis.strath.ac.uk>
Subject:   Re: xhost +localhost
Message-ID:  <20050203134948.06fee67a@localhost>
In-Reply-To: <ef60af0905020305433c03cc4c@mail.gmail.com>
References:  <ef60af0905020218193eea1fc9@mail.gmail.com> <LOBBIFDAGNMAMLGJJCKNEEDHFAAA.tedm@toybox.placo.com> <ef60af0905020305433c03cc4c@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 3 Feb 2005 14:43:39 +0100
Gert Cuykens <gert.cuykens@gmail.com> wrote:

> On Thu, 3 Feb 2005 00:32:23 -0800, Ted Mittelstaedt
> <tedm@toybox.placo.com> wrote:

> > While all of this is very interesting academic, if user Gert is dumb
> > enough to leave the console of his UNIX system accessible then user
> > Ted can come along and power cycle it into single user mode and wipe
> > his disks whether he has the root password or not.

While i quite agree with Ted's encouraging Gert to run X as joe user,
rather than root (for a variety of security related reasons) it is a
trivial matter implement a password requirement for boot -s.  This way,
even if a user can boot -s, they *must* have the root passwd.

This implementation does mean, however, that you should not forget the
root passwd, for if you do forget, you will not be able to reset it
via boot -s and passwd.

/etc/ttys

# If console is marked "insecure", then init will ask for the root
# password when going to single-user mode.

console none                     unknown    off     insecure

my 2 cents CAD for the day.


cheers,
epi



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050203134948.06fee67a>