Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-08-2007, 10:24 PM
|
#1
|
Senior Member
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Debian based
Posts: 1,250
Rep:
|
Root password lost ... how to keep from changing?
This is in reference to a thread: http://www.linuxquestions.org/questi...d.php?t=544396
I would like to pose a scenario:
In a multiuser lab, no people should know the root password. Knowing the installed distribution, but not knowing the root password, would someone be able to utilize the install CD in rescue mode to change the password? This does not sound very good.
|
|
|
04-09-2007, 12:15 AM
|
#2
|
Senior Member
Registered: May 2004
Location: Albuquerque, NM USA
Distribution: Debian-Lenny/Sid 32/64 Desktop: Generic AMD64-EVGA 680i Laptop: Generic Intel SIS-AC97
Posts: 4,250
Rep:
|
Sure they would, and on lots of distros there are even easier ways; like hitting "e" while the grub screen is displayed.
|
|
|
04-09-2007, 01:31 AM
|
#3
|
Member
Registered: Apr 2004
Distribution: Debian -unstable
Posts: 700
Rep:
|
Quote:
no people should know the root password
|
Surely at least one person should know the password.
As for the whole livecd thing .. have the computer *not* boot off the CD-ROM, and set up a BIOS password. And stuff like that. Physical security is not *that* hard to ensure given the user can not use a screwdriver.
|
|
|
04-11-2007, 01:37 PM
|
#4
|
Member
Registered: Oct 2006
Location: As far away from my username as possible
Distribution: Gentoo
Posts: 259
Rep:
|
Or, if you have the right type of case. password the BIOS, change the boot settings so that it can't boot from CD, then padlock the case shut. I did with mine. (Then lost the key... Duh.)
Reason for edit: Stoopid speling mistek!
|
|
|
04-11-2007, 02:10 PM
|
#5
|
Senior Member
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,187
|
Quote:
Originally Posted by SlowCoder
This is in reference to a thread: http://www.linuxquestions.org/questi...d.php?t=544396
I would like to pose a scenario:
In a multiuser lab, no people should know the root password. Knowing the installed distribution, but not knowing the root password, would someone be able to utilize the install CD in rescue mode to change the password? This does not sound very good.
|
In your scenario, the administrator would quickly become aware that the root password had been changed because her password would no longer work. In that circumstance, she would:
<edit>
First, change the BIOS so that HD boot precedes any other boot media, and protect BIOS changes with a password. This would prevent any such changes in the future. Of course, this should be done a a mater of course in any publicly accessible computer system. If there is a need to boot from some other media than the HD, she can use the BIOS password to change the setting for that boot, and then change it back.
She would also change the /etc/rc.d/rc[1-4].d/ setting so that changing the boot run level would not give root access without a password.
After that, she would:
</edit>
1) Boot into single user mode from a rescue disk
2) Create a new incremental backup to identify any changes since her last backup (see below)
3) Change the root password
4) Restore the system to a prior “known good” state from her backups
5) Start an internal investigation to identify who had made the unauthorized change, and what had been changed in the system
6) If the perpetrator could be identified, report the facts to the lab administrator for action
7) If the perpetrator could not be identified, report that to the lab administrator so a criminal investigation could be started.
8) Review the changes in the incremental backup and restore any authorized changes.
Last edited by PTrenholme; 04-11-2007 at 04:16 PM.
|
|
|
04-12-2007, 02:06 PM
|
#6
|
Member
Registered: Jan 2007
Distribution: Slackware
Posts: 341
Rep:
|
Quote:
Originally Posted by SlowCoder
This is in reference to a thread: http://www.linuxquestions.org/questi...d.php?t=544396
I would like to pose a scenario:
In a multiuser lab, no people should know the root password. Knowing the installed distribution, but not knowing the root password, would someone be able to utilize the install CD in rescue mode to change the password? This does not sound very good.
|
I think is just another myth. Did you try to boot in "single user mode" or in "rescue mode" with your distro install CD? I try many times in Slackware:
Code:
bare.i root=/dev/hda1 noinitrd ro telinit S -t 10
but finally was allways only
Or I miss the point?
|
|
|
04-12-2007, 02:12 PM
|
#7
|
Member
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Rep:
|
The solution is simple:
Put your Linux server inside a locked closet where nobody can get physical access to it.
You can also password protect Grub and your BIOS. My last recommendation would be to disable root login on all consoles, but make sure at least one of your other accounts has root priviledge.
|
|
|
04-13-2007, 06:14 PM
|
#8
|
Member
Registered: Mar 2007
Posts: 119
Rep:
|
In your pose bit - why should no one know the root password in a multi user lab.
It is not a given that no one should know the root password, you should really explain what you are trying to achieve.
Assuming you want people to have access to their data restricted to themselves and not allow root (the admin) the ability to sniff around it - then you have to look towards encryption. So, you would encrypt part of the disk for each user.
|
|
|
04-13-2007, 09:17 PM
|
#9
|
Senior Member
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Debian based
Posts: 1,250
Original Poster
Rep:
|
Coming back to read my post, and all of your responses, I guess I left out information. Sorry about that.
1. I do realize at least one person should know the root password, but that should be the admin, not a general lab user.
2. I use BIOS passwords and boot orders at my job to keep users from attempting to boot from CD. I understand that aspect of security.
I think I should have thought it out more thoroughly before posting. This scenario just seems like such an easy way to bypass root, that it suprised me how easy it apparently is. With Windows, you have to pay mondo bucks for that type of security-breaking utility, generally much more than the average schmo wants to spend.
|
|
|
04-14-2007, 03:52 AM
|
#10
|
Member
Registered: Jan 2006
Location: Romania
Distribution: Suse 12.0, Slackware 12.1, Debian, Ubuntu, Gentoo
Posts: 301
Rep:
|
Not really, it's easy with windows too. You just need to get 2 files with a live cd, and there are tons of free utilities that can tell you the admin password. Alternatively, there are tons of exploits that give you admin privileges.
For Linux, if you already have a bios password, put in a grub password, and it's going to be pretty hard for the average user to get the root password (unless he has a screwdriver with him, and will reset the bios, or uses another hard drive as master, setting the one in the lab as slave, either way needing to open up the computer)
|
|
|
04-14-2007, 11:56 PM
|
#11
|
Member
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Rep:
|
There is an ultimate way to protect a Linux root password which goes far beyond BIOS, Grub, and even external attempts: Encrypted File System. With newer version of the 2.6 kernel you can actually encrypt the root file system - in this way even if you do mount the hard disk externally you still cannot mount it unless you know the encrypted password. Just an FYI.
|
|
|
All times are GMT -5. The time now is 04:41 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|