[plug] Linux security idea - maybe
Bernd Felsche
bernie at innovative.iinet.net.au
Fri Jun 13 08:27:37 WST 2003
On Fri, Jun 13, 2003 at 12:11:07AM +0800, Leon Brooks wrote:
> On Thu, 12 Jun 2003 23:37, Craig Ringer wrote:
> > Here's an example (DO NOT USE w/o first having a console open as
> > root, another root console running vi /etc/passwd, and a rescue disk
> > handy - just in case):
>
> > /etc/passwd
> > root:x:0:0:root:/root:/bin/false
> > realsuper:x:0:0:real superuser:/realsuper:/bin/bash
> > ....other...users....
> > /etc/shadow
> > root:*:12165:0:99999:7:::
> > realsuper:MD5_PASSWORD_DELETED_FOR_SECURITY:12165:0:99999:7:::
> > ....other....users....
> > Now, a login as root will always fail, and a login as "realsuper"
> > will succeed and give superuser rights. Occasional confusion where
> > after login your username sometimes appears as "root" (on created
> > files for example) is not unusual, but is not to be stressed about.
>
> How brave are you? (-:
Too brave; there are a number of applications (even KDE) that'll
prompt for root's password to temporarily acquire necessary
privilege.
> Delete *both* root passwords and have the ssh2 public key from a
> seldom-used user on (an)other machine(s) in /root/.ssh/authorized_keys.
> If you lose network, you can always use the init=/bin/bash option from
> the console anyway. (-: You did password LILO, didn't you? :-)
What's the point of that? If somebody has physical access, they can
either boot from their own media or rip out your hard drive and plug
it into their own system.
--
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ / ASCII ribbon campaign | I'm a .signature virus!
X against HTML mail | Copy me into your ~/.signature
/ \ and postings | to help me spread!
More information about the plug
mailing list