Rooting a local box
steve at bluehost.com
Thu Apr 26 14:41:18 MDT 2007
You guys are confusing physical security with boot security.
It is true that if you have physical access to a system, you can get
around any boot security, but you are missing the point that every OS
will eventually be used with a serial or console connection.
If someone compromises the console server (often easier than it should
be) then they have console access without physical access. I would much
rather have the minor inconvenience of single user requiring a password
than make anything easier for a would-be cracker.
Nicholas Leippe wrote:
> On Thursday 26 April 2007, Stuart Jansen wrote:
>> On Thu, 2007-04-26 at 12:03 -0600, Nicholas Leippe wrote:
>>> On some distros, even single user asks for the root password. You can get
>>> past that by passing init=/bin/sh to the kernel. If you have /bin/bb,
>>> even better. Where to go from there is left as an exercise for the
>> Using init=/bin/sh on modern systems with udev, etc. is not for the
>> faint of heart.
> Which is why I left it as an exercise for the reader. ;)
>> If your distro requires the root password to enter
>> single user mode, it'd probably be easier to just boot from a rescue
>> disk. SUSE is an example of an annoying distro that requires the root
>> password for single user mode, but in compensation the SUSE rescue disk
>> is kinda snazzy.
> Likewise for Gentoo, on both accounts.
>>  If you have enough access to reboot into single user mode, you've
>> got enough access to boot from alternative media or pull the drives.
>> Requiring the root password doesn't do much to improve security.
> Yep. When there's physical access to the box, all bets on security are off.
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
Url : http://plug.org/pipermail/plug/attachments/20070426/efc5f59b/attachment.bin
More information about the PLUG