From owner-freebsd-questions@FreeBSD.ORG  Thu Feb  3 18:50:23 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 46BFD16A4CE
	for <freebsd-questions@freebsd.org>;
	Thu,  3 Feb 2005 18:50:23 +0000 (GMT)
Received: from outbox.allstream.net (outbox.allstream.net [207.245.244.41])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E03E643D45
	for <freebsd-questions@freebsd.org>;
	Thu,  3 Feb 2005 18:50:22 +0000 (GMT)
	(envelope-from epilogue@allstream.net)
Received: from localhost (mon-pq64-155.dial.allstream.net [216.123.141.219])
	by outbox.allstream.net (Allstream MTA) with ESMTP id C1FF21BB063;
	Thu,  3 Feb 2005 13:49:00 -0500 (EST)
Date: Thu, 3 Feb 2005 13:49:48 -0500
From: epilogue <epilogue@allstream.net>
To: Gert Cuykens <gert.cuykens@gmail.com>
Message-ID: <20050203134948.06fee67a@localhost>
In-Reply-To: <ef60af0905020305433c03cc4c@mail.gmail.com>
References: <ef60af0905020218193eea1fc9@mail.gmail.com>
	<LOBBIFDAGNMAMLGJJCKNEEDHFAAA.tedm@toybox.placo.com>
	<ef60af0905020305433c03cc4c@mail.gmail.com>
X-Mailer: Sylpheed-Claws 1.0.0 (GTK+ 1.2.10; i386-portbld-freebsd5.3)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
cc: Ted Mittelstaedt <tedm@toybox.placo.com>
cc: Chris Hodgins <chodgins@cis.strath.ac.uk>
Subject: Re: xhost +localhost
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Feb 2005 18:50:23 -0000

On Thu, 3 Feb 2005 14:43:39 +0100
Gert Cuykens <gert.cuykens@gmail.com> wrote:

> On Thu, 3 Feb 2005 00:32:23 -0800, Ted Mittelstaedt
> <tedm@toybox.placo.com> wrote:

> > While all of this is very interesting academic, if user Gert is dumb
> > enough to leave the console of his UNIX system accessible then user
> > Ted can come along and power cycle it into single user mode and wipe
> > his disks whether he has the root password or not.

While i quite agree with Ted's encouraging Gert to run X as joe user,
rather than root (for a variety of security related reasons) it is a
trivial matter implement a password requirement for boot -s.  This way,
even if a user can boot -s, they *must* have the root passwd.

This implementation does mean, however, that you should not forget the
root passwd, for if you do forget, you will not be able to reset it
via boot -s and passwd.

/etc/ttys

# If console is marked "insecure", then init will ask for the root
# password when going to single-user mode.

console none                     unknown    off     insecure

my 2 cents CAD for the day.


cheers,
epi