1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] Handling single user/rescue/failsafe mode
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Handling%20single%20user/rescue/failsafe%20mode&In-Reply-To=%3C4F993516.9060501%40colin.guthr.ie%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="014875.html">
<LINK REL="Next" HREF="014879.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] Handling single user/rescue/failsafe mode</H1>
<B>Colin Guthrie</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Handling%20single%20user/rescue/failsafe%20mode&In-Reply-To=%3C4F993516.9060501%40colin.guthr.ie%3E"
TITLE="[Mageia-dev] Handling single user/rescue/failsafe mode">mageia at colin.guthr.ie
</A><BR>
<I>Thu Apr 26 13:44:22 CEST 2012</I>
<P><UL>
<LI>Previous message: <A HREF="014875.html">[Mageia-dev] Handling single user/rescue/failsafe mode
</A></li>
<LI>Next message: <A HREF="014879.html">[Mageia-dev] Handling single user/rescue/failsafe mode
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14877">[ date ]</a>
<a href="thread.html#14877">[ thread ]</a>
<a href="subject.html#14877">[ subject ]</a>
<a href="author.html#14877">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>'Twas brillig, and Wolfgang Bornath at 26/04/12 12:05 did gyre and gimble:
><i> 2012/4/26 Guillaume Rousse <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">guillomovitch at gmail.com</A>>:
</I>>><i> Le 26/04/2012 12:12, Thierry Vignaud a écrit :
</I>>><i>
</I>>>><i> On 26 April 2012 11:38, Colin Guthrie<<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">mageia at colin.guthr.ie</A>> wrote:
</I>>>>><i>
</I>>>>><i> It seems that in mga1 single user mode just gave a shell without
</I>>>>><i> requiring root password.
</I>>>>><i>
</I>>>>><i> I'm not sure when this was added, but in the initscripts changelog, I
</I>>>>><i> see it has come from the big mdvconf patch[1].
</I>>>>><i>
</I>>>>><i> Can anyone remember the reason for this (perhaps it was related to tcb
</I>>>>><i> support?) and whether or not we should do the same thing in systemd
</I>>>>><i> which currently (now that I've fixed it) uses whatever SINGLE says in
</I>>>>><i> /etc/sysconfig/init.
</I>>>><i>
</I>>>><i>
</I>>>><i> This has been like this forever...
</I>>>><i> At least for the past decade.
</I>>>><i> I think other distros do/did it too.
</I>>><i>
</I>>><i> Some of them force the use of a password for single mode. Given the ease of
</I>>><i> bypassing it through init=/bin/sh, unless the bootloader is also protected,
</I>>><i> I'm a bit sceptic about the interest.
</I>><i>
</I>><i> For ages (Mandrakelinux/Mandriva) it has been
</I>><i>
</I>><i> SINGLE=/sbin/sushell
</I>
Yes, but inittab itself just referenced /bin/sh (thus not caring what
SINGLE variable was set to).
><i> as default. IMHO this default setting is a security issue. Someone
</I>><i> with access to your machine (in an office or whereever) can simply
</I>><i> turn it on (or first turn it off with the power button), select
</I>><i> failsafe from the boot menue and has all the privileges he wants
</I>><i> without any hurdles to jump. So I've been advocating to change this
</I>><i> entry in /etc/sysconfig/init.
</I>><i>
</I>><i> I've been also recommending users to change the matching line in
</I>><i> /etc/inittab accordingly:
</I>><i>
</I>><i> #Single user mode
</I>><i> ~~:S:wait:/sbin/sulogin
</I>><i>
</I>><i> which does the same. Unfortunately Mandrake/Mandriva developpers did
</I>><i> not share my view.
</I>
As Guillaume pointed out, if they have physical access, you can also
just pass init=/bin/sh to the kernel prompt, so I see little real
security benefit here (it maybe raises the bar slightly, but insecure is
insecure).
Col
--
Colin Guthrie
colin(at)mageia.org
<A HREF="http://colin.guthr.ie/">http://colin.guthr.ie/</A>
Day Job:
Tribalogic Limited <A HREF="http://www.tribalogic.net/">http://www.tribalogic.net/</A>
Open Source:
Mageia Contributor <A HREF="http://www.mageia.org/">http://www.mageia.org/</A>
PulseAudio Hacker <A HREF="http://www.pulseaudio.org/">http://www.pulseaudio.org/</A>
Trac Hacker <A HREF="http://trac.edgewall.org/">http://trac.edgewall.org/</A>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="014875.html">[Mageia-dev] Handling single user/rescue/failsafe mode
</A></li>
<LI>Next message: <A HREF="014879.html">[Mageia-dev] Handling single user/rescue/failsafe mode
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14877">[ date ]</a>
<a href="thread.html#14877">[ thread ]</a>
<a href="subject.html#14877">[ subject ]</a>
<a href="author.html#14877">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
