[plug] Linux security idea - maybe

Leon Brooks leon at brooks.fdns.net
Fri Jun 13 00:11:07 WST 2003


On Thu, 12 Jun 2003 23:37, Craig Ringer wrote:
> Here's an example (DO NOT USE w/o first having a console open as
> root, another root console running vi /etc/passwd, and a rescue disk
> handy - just in case):

> 	/etc/passwd
> root:x:0:0:root:/root:/bin/false
> realsuper:x:0:0:real superuser:/realsuper:/bin/bash
> ....other...users....

> 	/etc/shadow
> root:*:12165:0:99999:7:::
> realsuper:MD5_PASSWORD_DELETED_FOR_SECURITY:12165:0:99999:7:::
> ....other....users....

> Now, a login as root will always fail, and a login as "realsuper"
> will succeed and give superuser rights. Occasional confusion where
> after login your username sometimes appears as "root" (on created
> files for example) is not unusual, but is not to be stressed about.

How brave are you? (-:

Delete *both* root passwords and have the ssh2 public key from a 
seldom-used user on (an)other machine(s) in /root/.ssh/authorized_keys. 
If you lose network, you can always use the init=/bin/bash option from 
the console anyway. (-: You did password LILO, didn't you? :-)

Cheers; Leon



More information about the plug mailing list