From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2012-April/014879.html | 151 ++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 zarb-ml/mageia-dev/2012-April/014879.html (limited to 'zarb-ml/mageia-dev/2012-April/014879.html') diff --git a/zarb-ml/mageia-dev/2012-April/014879.html b/zarb-ml/mageia-dev/2012-April/014879.html new file mode 100644 index 000000000..084f8c288 --- /dev/null +++ b/zarb-ml/mageia-dev/2012-April/014879.html @@ -0,0 +1,151 @@ + + + + [Mageia-dev] Handling single user/rescue/failsafe mode + + + + + + + + + +

[Mageia-dev] Handling single user/rescue/failsafe mode

+ Wolfgang Bornath + molch.b at googlemail.com +
+ Thu Apr 26 14:22:31 CEST 2012 +

+
+ +
2012/4/26 Colin Guthrie <mageia at colin.guthr.ie>:
+> 'Twas brillig, and Wolfgang Bornath at 26/04/12 12:05 did gyre and gimble:
+>> 2012/4/26 Guillaume Rousse <guillomovitch at gmail.com>:
+>>> Le 26/04/2012 12:12, Thierry Vignaud a écrit :
+>>>
+>>>> On 26 April 2012 11:38, Colin Guthrie<mageia at colin.guthr.ie>  wrote:
+>>>>>
+>>>>> It seems that in mga1 single user mode just gave a shell without
+>>>>> requiring root password.
+>>>>>
+>>>>> I'm not sure when this was added, but in the initscripts changelog, I
+>>>>> see it has come from the big mdvconf patch[1].
+>>>>>
+>>>>> Can anyone remember the reason for this (perhaps it was related to tcb
+>>>>> support?) and whether or not we should do the same thing in systemd
+>>>>> which currently (now that I've fixed it) uses whatever SINGLE says in
+>>>>> /etc/sysconfig/init.
+>>>>
+>>>>
+>>>> This has been like this forever...
+>>>> At least for the past decade.
+>>>> I think other distros do/did it too.
+>>>
+>>> Some of them force the use of a password for single mode. Given the ease of
+>>> bypassing it through init=/bin/sh, unless the bootloader is also protected,
+>>> I'm a bit sceptic about the interest.
+>>
+>> For ages (Mandrakelinux/Mandriva) it has been
+>>
+>> SINGLE=/sbin/sushell
+>
+> Yes, but inittab itself just referenced /bin/sh (thus not caring what
+> SINGLE variable was set to).
+>
+>> as default. IMHO this default setting is a security issue. Someone
+>> with access to your machine (in an office or whereever) can simply
+>> turn it on (or first turn it off with the power button), select
+>> failsafe from the boot menue and has all the privileges he wants
+>> without any hurdles to jump. So I've been advocating to change this
+>> entry in /etc/sysconfig/init.
+>>
+>> I've been also recommending users to change the matching line in
+>> /etc/inittab accordingly:
+>>
+>> #Single user mode
+>> ~~:S:wait:/sbin/sulogin
+>>
+>> which does the same. Unfortunately Mandrake/Mandriva developpers did
+>> not share my view.
+>
+> As Guillaume pointed out, if they have physical access, you can also
+> just pass init=/bin/sh to the kernel prompt, so I see little real
+> security benefit here (it maybe raises the bar slightly, but insecure is
+> insecure).
+
+I heard that argument before, so I'm used to it.
+With the default settung nobody needs to be a wizard to switch on the
+computer and select the failsafe mode. With that little bar you have
+to know how to get to the kernel prompt (I guess you mean the kernel
+line in the boot menue) and how to change it. So the small bar
+prevents mischievous kids to do anything to dad's computer and office
+collegues playing bad with you.
+
+What is the advantage to leave the barn door open? To make it easier
+on those who can not remember their root password? Having to find out
+how to overcome that small bar will not hurt them but teach them a
+lesson.
+
+-- 
+wobo
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1