From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2012-April/014877.html | 152 ++++++++++++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 zarb-ml/mageia-dev/2012-April/014877.html (limited to 'zarb-ml/mageia-dev/2012-April/014877.html') diff --git a/zarb-ml/mageia-dev/2012-April/014877.html b/zarb-ml/mageia-dev/2012-April/014877.html new file mode 100644 index 000000000..eabd89664 --- /dev/null +++ b/zarb-ml/mageia-dev/2012-April/014877.html @@ -0,0 +1,152 @@ + + + + [Mageia-dev] Handling single user/rescue/failsafe mode + + + + + + + + + +

[Mageia-dev] Handling single user/rescue/failsafe mode

+ Colin Guthrie + mageia at colin.guthr.ie +
+ Thu Apr 26 13:44:22 CEST 2012 +

+
+ +
'Twas brillig, and Wolfgang Bornath at 26/04/12 12:05 did gyre and gimble:
+> 2012/4/26 Guillaume Rousse <guillomovitch at gmail.com>:
+>> Le 26/04/2012 12:12, Thierry Vignaud a écrit :
+>>
+>>> On 26 April 2012 11:38, Colin Guthrie<mageia at colin.guthr.ie>  wrote:
+>>>>
+>>>> It seems that in mga1 single user mode just gave a shell without
+>>>> requiring root password.
+>>>>
+>>>> I'm not sure when this was added, but in the initscripts changelog, I
+>>>> see it has come from the big mdvconf patch[1].
+>>>>
+>>>> Can anyone remember the reason for this (perhaps it was related to tcb
+>>>> support?) and whether or not we should do the same thing in systemd
+>>>> which currently (now that I've fixed it) uses whatever SINGLE says in
+>>>> /etc/sysconfig/init.
+>>>
+>>>
+>>> This has been like this forever...
+>>> At least for the past decade.
+>>> I think other distros do/did it too.
+>>
+>> Some of them force the use of a password for single mode. Given the ease of
+>> bypassing it through init=/bin/sh, unless the bootloader is also protected,
+>> I'm a bit sceptic about the interest.
+> 
+> For ages (Mandrakelinux/Mandriva) it has been
+> 
+> SINGLE=/sbin/sushell
+
+Yes, but inittab itself just referenced /bin/sh (thus not caring what
+SINGLE variable was set to).
+
+> as default. IMHO this default setting is a security issue. Someone
+> with access to your machine (in an office or whereever) can simply
+> turn it on (or first turn it off with the power button), select
+> failsafe from the boot menue and has all the privileges he wants
+> without any hurdles to jump. So I've been advocating to change this
+> entry in /etc/sysconfig/init.
+> 
+> I've been also recommending users to change the matching line in
+> /etc/inittab accordingly:
+> 
+> #Single user mode
+> ~~:S:wait:/sbin/sulogin
+> 
+> which does the same. Unfortunately Mandrake/Mandriva developpers did
+> not share my view.
+
+As Guillaume pointed out, if they have physical access, you can also
+just pass init=/bin/sh to the kernel prompt, so I see little real
+security benefit here (it maybe raises the bar slightly, but insecure is
+insecure).
+
+Col
+
+
+
+-- 
+
+Colin Guthrie
+colin(at)mageia.org
+http://colin.guthr.ie/
+
+Day Job:
+  Tribalogic Limited http://www.tribalogic.net/
+Open Source:
+  Mageia Contributor http://www.mageia.org/
+  PulseAudio Hacker http://www.pulseaudio.org/
+  Trac Hacker http://trac.edgewall.org/
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1