Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-03-2007, 12:59 AM
|
#1
|
Member
Registered: Nov 2006
Location: Kerala, India
Distribution: Arch Linux
Posts: 134
Rep:
|
root password security problem
One of my friends asked me how to log onto 'root' in a linux machine, whose password is lost.
I told them to boot with a live linux cd and edit the /etc/passwd file. And it worked.
But on a second thought I felt that the root password is this much easy to crack. Isnt that a security problem
How can I prevent cracking my root password, especially using a live linux cd...
And also, is there any other way to get the lost password without using a live linux cd...
Thank you
|
|
|
07-03-2007, 01:16 AM
|
#2
|
Senior Member
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: OpenBSD, Debian, FreeBSD
Posts: 1,450
Rep:
|
If someone has physical access to the machine, you can never make it 100% secure from them.
You can take precautions:
1) single user mode should be insecure so it requires a password
2) the bios should be set to only boot from the primary drive
3) the bios should require a password (different from root's) to change settings
These steps alone will prevent the majority of problems. But if they can get at the machine... anything is possible.
|
|
|
07-03-2007, 01:16 AM
|
#3
|
Senior Member
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: OpenBSD, Debian, FreeBSD
Posts: 1,450
Rep:
|
Sorry, repeat post.
Last edited by frob23; 07-03-2007 at 01:18 AM.
|
|
|
07-03-2007, 01:18 AM
|
#4
|
LQ Guru
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131
Rep:
|
You don't need a livecd if you can access your bootloader and tell it to boot to runlevel 1 (single-user mode usually). It'll give you a root login without asking password, so you can use it to change the root password with passwd.
Set a bootloader password, encrypt the filesystem, configure BIOS to prevent you from booting from anywhere else than harddisk, set BIOS password, ... there are many ways (NOTE: taking out the battery for a moment flushes BIOS settings, so it's a goner). But in the end it's just up to who can access and mount your disk - if somebody is eager, s/he'll just take the disk out of your machine, connect it to another pc, mount the disk and either do the change you mentioned or copy off the shadow file, put things back where they were and start cracking the encrypted password against a dictionary ("brute-force attack"). Once cracked, s/he can use regular login.
The only way that works is to remove the media where those passwords are - take the harddisk with you or put it into a safe. As long as it's in your pc, anybody who can access it can easily get into your system. Preventing physical access is pretty difficult, but that's something you must do if you want to be able to sleep well
EDIT: to make you feel better, think about this: cracking a Windows machine is just as easy. Windows2000 had a little flaw where you could easily just replace one executable file that is run at the login screen if you wait for too long, with a command prompt. Result: boot the machine, and when the login window comes up, wait for some time and you'll get a console with system permissions in front of you. Change passwords, replace the already-replaced executable again, and you're set. It's fast and easy with two computers, but doesn't produce much trouble with only one pc either. Luckily somebody told MS and they "fixed the problem" in the newer versions (but that doesn't say there aren't similar holes around..)
Last edited by b0uncer; 07-03-2007 at 01:22 AM.
|
|
|
07-03-2007, 04:46 AM
|
#5
|
LQ Newbie
Registered: Jun 2007
Posts: 4
Rep:
|
Hello there...
I'm still new in this forum, so forgive me if I'm wrong...
My friend told me that he has encountered a problem with a server (handed over to his company by another vendor). The problem is that he didn't know the root password and try to reset it. He manage to boot the server into single user mode but he could not edit the shadow file. How to solve this problem (other than formatting it, of course)?
|
|
|
07-03-2007, 09:09 AM
|
#6
|
Member
Registered: Jan 2007
Distribution: Slackware
Posts: 341
Rep:
|
Quote:
Originally Posted by matrix13
I told them to boot with a live linux cd and edit the /etc/passwd file. And it worked.
|
There is nothing to edit in /etc/passwd file.
Quote:
Originally Posted by matrix13
But on a second thought I felt that the root password is this much easy to crack. Isnt that a security problem
|
This is a myth. Modern Linux distributions, even in single-user mode, don't allow root login without password:
Quote:
(none) login: root
Password:
|
Quote:
Originally Posted by matrix13
And also, is there any other way to get the lost password without using a live linux cd...
|
Decrypting hashes
|
|
|
07-03-2007, 07:30 PM
|
#7
|
LQ Newbie
Registered: Jun 2007
Posts: 4
Rep:
|
Quote:
Modern Linux distributions, even in single-user mode, don't allow root login without password
|
Which distro, because I'm using Fedora 6 currently but it doesn't request for password in single user mode.
|
|
|
07-04-2007, 12:18 AM
|
#8
|
Member
Registered: Nov 2006
Location: Kerala, India
Distribution: Arch Linux
Posts: 134
Original Poster
Rep:
|
Thanx for all the replys...
--For Road Map. I dont understand "There is nothing to edit in /etc/passwd file.". I removed the x after root, like
root:x:....
Then saved it and reboot the system as root. It didnt ask for a password.
So, you mean this is not necessary...(clarification needed, please)
--And b0uncer, from your reply I felt that Windows is much secure in this aspect. (parden me, as I didnt crack any Windows machine. But I would like to) Is that true?
--I heard of providing a bootloader password. My bootloader is GRUB. So, how can I set a password in GRUB?
--Can I remove the single user mode from the bootloader. What is your advice...
--Finally, how can I encrypt my file system?
thnaks all...
|
|
|
07-04-2007, 03:09 AM
|
#9
|
Member
Registered: Dec 2006
Posts: 606
Rep:
|
I want to disable the root login without passwd in single user mode in Fedora 7. Any methods to do so ?
|
|
|
07-06-2007, 09:37 PM
|
#10
|
Member
Registered: Dec 2006
Posts: 606
Rep:
|
Any help please.
|
|
|
07-07-2007, 02:08 PM
|
#11
|
Member
Registered: May 2005
Location: USA
Distribution: Ubuntu, CentOS
Posts: 37
Rep:
|
physical access = no security
If you want to provide some reasonable boot security on a pc class machine, you have to:
1) edit your bios boot priority settings to remove everything except your hard drive
2) set a bios password so nobody can change that
3) use a cable lock or a good locking computer cabinet to prevent anyone from being able to steal the hard disk or open the case and reset/reflash the bios
4) use a grub password to prevent anyone from booting anything other than the default stanza.
The downside is that if you ever forget your passwords or lose your keys, you have screwed yourself instead.
In addition, or maybe instead, you might seriously consider using LUKS, dm_crypt and a loooong passphrase to provide partition level encryption, so if anyone manages to get physical access to your system or steals your hard drive, they will still be unlikely to find anything useful. The downside is a serious disk i/o performance penalty.
|
|
|
07-08-2007, 04:35 AM
|
#12
|
Member
Registered: Dec 2006
Posts: 606
Rep:
|
Does remote loggin can boot inot runlevel 1 ?
This is my major concerns.
|
|
|
07-08-2007, 10:42 AM
|
#13
|
Member
Registered: May 2005
Location: USA
Distribution: Ubuntu, CentOS
Posts: 37
Rep:
|
not likely
Quote:
Originally Posted by Peter_APIIT
Does remote loggin can boot inot runlevel 1 ?
This is my major concerns.
|
No, normal user accounts cannot reboot a box into runlevel 1.
Only someone with root privileges on your system (via the root password, a local account with sudo access, or by using a local account and cracking some setuid program) could modify your grub config file and reboot the box into runlevel 1. But if they are remote, then they couldn't access it, since single user mode is only accessible from the PC console.
Then again, if someone can get root privs on your system, they don't NEED to boot into runlevel 1. They are already root!
|
|
|
07-08-2007, 10:47 AM
|
#14
|
Member
Registered: Jun 2003
Location: UK
Distribution: Devuan Beowulf
Posts: 514
Rep:
|
Just encrypt /home and it then becomes completely moot whether they can boot into and access your machine. The data that matters is stored safely in a place they can not easily access.
If you were really paranoid encrypt everything (/ and /home) and set it up to ask for passwords before it boots the main system. Guides are available from google, but its not something i would recommend to the noob element.
I am more of a prevent access to data by method x, person. Physical security can not always be maintained, so falling back to encryption is the only logical step.
|
|
|
07-09-2007, 05:06 AM
|
#15
|
Member
Registered: Dec 2006
Posts: 606
Rep:
|
Any good guide to encrypt the / and /home ?
Thanks for your help.
|
|
|
All times are GMT -5. The time now is 08:18 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|