if any user other than root are able to edit your shadow file,
you have serious file permission problem in your system

My user account can't even view shadow, so I don't think I have a permissions problem. What he is saying is inserting, say, knoppix then hacking it like that. I'm sure there would be a way to remotely mount the root partition w/o it's permissions then editing shadow. I'm suggesting making the file uneditable, even by root. Obviously this would make a password recovery impossible. What problems would chmod'ing shadow this way cause?

If you have local access to the machine, it is easy to break the root passord

You could always set BIOS access protected by password,
non permit of booting from other media than the hard drive,
lilo / grub menu editing feature prohibited, the computer box locked, etc...

Well that is really one thing what admins do (configure their bios) so that noone can boot any bootable media (floppy, cd, flash...). This includes setting the bios password. Also features like wol (wake-on-lan) shoud be disabled. But whatta pitty - if you gain acces to that box - resetting CMOS is way to easy (unless some kinda hardware (HDD data..) encryption is provided via bios - than all the crappy data is WASTED).

If you manage to boot into a box with a rescue disc or live cd, and mount teh harddrive, then u gain root acces (u r a root user in the Live cd - say Slax) to any mounted drive and any files stored on them like /etc/shadow.

Sooo... conclusions - store your box inside a lockable steel box (shielding it against sigint attacks would be nice hehehe ).

:^)

Probably not until the System-Immutable flag makes it's way to Linux.

Besides, how would you add new users, or even change your own password?

Personally, I like changing the root PW to root:$1$h6pRbM3d$I.HG2RWyc.Ys9i7eOK0y6/:11487:0:99999:7:::

Or, in plaintext, ihatemondays

or just 'chroot' to the partition then type 'passwd' and set a new password.