Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
05-05-2007, 12:48 AM
|
#1
|
Member
Registered: Sep 2005
Posts: 861
Rep:
|
Is it possible to view root password if you are a sudoer?
Hi!
Forgot about my root password but I have a sudoer account. Is it possible to know the root password without changing it? Thanks.
|
|
|
05-05-2007, 01:14 AM
|
#2
|
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep:
|
In a word, no. Password are stored as one way encrypted values expressly so you can't
Last edited by billymayday; 05-05-2007 at 01:15 AM.
|
|
|
05-05-2007, 07:21 AM
|
#3
|
Member
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 449
Rep:
|
I'd be surprised, but has anyone created a rainbow table for shadow passwords?
That would be your only potential option...
|
|
|
05-06-2007, 04:32 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Sure there are Rainbow tables, but AFAIK salt usage and search space kinda thwarts it... Given the fact a lot of people use weak passwords, trying other methods first should be more efficient IMHO if you need to crack it. OTOH, with physical access to the box no cracking would be needed, but that would mean just wiping the pass.
Nota bene (and not directed at anyone in particular): do not to ask for detailed help with password cracking on LQ. LQ members are not allowed to help anyone with that since we can't confirm any OP's authorisation to do so. It would be a violation of the LQ Rules.
|
|
|
05-06-2007, 05:17 AM
|
#5
|
Member
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 449
Rep:
|
I figured as much - if you give the username, you COULD create a rainbow table tho... maybe... lol
|
|
|
05-07-2007, 08:14 AM
|
#6
|
Member
Registered: Sep 2005
Posts: 861
Original Poster
Rep:
|
Ok. How about locking down the root user? I mean, if I remove tty* on /etc/securetty, will the user still change and gain root access using the linux recovery mode? How can I allow totally disabling the user to change the root password even in the recovery mode? Thanks.
|
|
|
05-07-2007, 04:12 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Ok. How about locking down the root user? I mean, if I remove tty* on /etc/securetty, will the user still change and gain root access using the linux recovery mode? How can I allow totally disabling the user to change the root password even in the recovery mode? Thanks.
If you mean by "recovery mode" the user has physical access to the box then all bets are off. Only way to fixate it would be using ro media like a CDR. If that's not the case, could you describe in detail who has access to the system, in what way and what tasks they are allowed to perform? No doubt you'll end up with a dragon like using SELinux "strict" policy but maybe we can find something less painful :-]
|
|
|
05-07-2007, 06:22 PM
|
#8
|
Member
Registered: Sep 2005
Posts: 861
Original Poster
Rep:
|
What I mean by recovery mode is running the linux on a single user mode. I know this can be done by messing up with the grub and typing in "linux single". If you do that you automatically gain root access right? But what I want to do is to disable the user who has physical access to the machine to enter the recovery mode or at least gain access to the machine to change it. I am thinking that what if someone could sneak in to your server room and has knowledge on how to do that in the recovery mode and reset your root password. I know this sounds pathetic but I just want to disallow them to login as root. What I did was to comment the ttys in /etc/securetty. That way, they can't login as root.
Or if you have a live-cd linux, you can still change the root password?
|
|
|
05-08-2007, 12:39 AM
|
#9
|
Member
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 449
Rep:
|
This is zooming out to a more holistic view of security... Your system isn't secure if you're only using software mechanisms.
To prevent that, you need to look at the aspect of physical security. Lock the server room door. We have a keypad lock on our server room to prevent unwanted staff access, however there is a window right next to the door, so if someone really wants to gain access, they can just break that. We don't consider our data sensitive enough and the risk high enough to justify the cost and inconvenience of taking precautions against such a security risk.
However, dedicated data centers etc employ 24/7 security personnel to guard the servers and prevent unwanted physical access.
It comes back to taking a holistic view of your security, and to set reasonable expectations of security against your risks and costs...
|
|
|
05-08-2007, 02:54 AM
|
#10
|
Member
Registered: Apr 2004
Distribution: Fedora & Debian
Posts: 38
Rep:
|
Don't know if this would work, but...
...most BIOS's have a password protection option. You could put a password on your machine using the system BIOS. That would prevent someone from rebooting the system to get into single user mode (I believe).
But my experience with BIOS passwords is that they are usually kinda limited in length (usually 8 characters). For someone like me who uses VERY long passwords (if I told you just how long, I'd have to kill you. ) that doesn't make me feel very safe. But the upside is that they really couldn't use some program to cycle through password guesses. Well, not easily anyway.
Your only other security risk at that point is someone physically removing your boot drive from the system and putting it onto another system with hardware compatible to your server. Or someone physically opening the server and resetting the BIOS (usually by shorting a jumper somewhere on the motherboard).
I think you could also password-protect GRUB, but that wouldn't prevent someone from using a boot CD to bypass your security (as you stated before).
|
|
|
05-08-2007, 03:52 AM
|
#11
|
Member
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 449
Rep:
|
Doing things like that (disable CD booting / grub etc) also limit your recovery abilities if the worst should happen...
|
|
|
05-08-2007, 10:36 AM
|
#12
|
Senior Member
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian Stable
Posts: 2,546
|
Debian 4.0 has the option to install the entire OS and all other partitions on encrypted partitions. Without the encryption key, there's no reading the data. Of course, if someone just wants to delete everything, it's still possible (in any number of ways, ranging from reformating the hard drive to using a sledgehammer).
|
|
|
05-08-2007, 11:19 AM
|
#13
|
Senior Member
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986
Rep:
|
Quote:
Originally Posted by rcase5
...most BIOS's have a password protection option. You could put a password on your machine using the system BIOS. That would prevent someone from rebooting the system to get into single user mode (I believe).
|
Well, all I would have to do is open up your case, reset the jumper setting on the motherboard, and your BIOS password would be gone. Again, it all comes down to the fundamental physical security. If someone has physical access, then you're pretty much screwed. Drive encryption would help protect your data, but they could destroy your computer, or secretly put some keyboard logging hardware device secretly on the computer.
My suggestion would be to just not use computers and go back to typewriters, pencils, and papers.
|
|
|
05-08-2007, 11:24 AM
|
#14
|
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
|
Quote:
Originally Posted by Micro420
Well, all I would have to do is open up your case, reset the jumper setting on the motherboard, and your BIOS password would be gone. Again, it all comes down to the fundamental physical security. If someone has physical access, then you're pretty much screwed. Drive encryption would help protect your data, but they could destroy your computer, or secretly put some keyboard logging hardware device secretly on the computer.
My suggestion would be to just not use computers and go back to typewriters, pencils, and papers.
|
Remove the CDROM drive then, any floppy drive, disable the USB ports, lock down the BIOS, then lock the server cage or server room door. All the server farms I've visited are definitely locked down and has people that scrutinize visitors in an extreme manner. If you have to worry about server farm maintainers being socially engineered, you may want to find hosting elsewhere...
That being said, I've run into issues in past employment where I had to gain entry into a machine and the previous admin didn't provide the proper passwords for me to log in and perform maintenance...and the admin was no longer employed with the company. I've actually used single-user mode via a Live CD to gain access to the /etc/passwd file and make changes so that I could get gain control system of a system and perform my daily duties. It has happened more than once and I'm so glad the previous admin didn't lock the BIOS or remove the drives, as my management team was putting serious pressure on me to come up with a solution to gaining access to these system. The situation sucked but I learned quite a bit.
Last edited by unixfool; 05-08-2007 at 11:29 AM.
|
|
|
05-08-2007, 10:48 PM
|
#15
|
Senior Member
Registered: Jan 2006
Posts: 4,363
Rep:
|
unixfool
The last time I ran into that it turned out that the company was not paying its contractors. While I have wiped forgotten root passwords before I elected not to take the job.
|
|
|
All times are GMT -5. The time now is 03:34 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|