On 3/6/07, Brian Wheeler <bdwheele@xxxxxxxxxxx> wrote:
On Sun, 2007-03-04 at 10:01 -0500, Chuck Anderson wrote: > On Sun, Mar 04, 2007 at 09:45:22AM -0500, Chuck Anderson wrote: > > On Sun, Mar 04, 2007 at 03:00:05PM +0100, Enrico Scholz wrote: > > > > tested this in fedora for some months, but last I checked, runlevel 1 > > > > dropped the user directly in a root shell. > > > > > > > > Runlevel 3 is at least as safe as runlevel 5 and could be used with no > > > > security implications. > > > > > > As long as Grub and the BIOS are not protected with a password by > > > default, we do not need to discuss this.... > > > > Does grub have a "secure" flag you can put in a stanza to require grub > > to prompt for a password? That would solve the security concern. > > Answering myself: > > -- Command: lock > Prevent normal users from executing arbitrary menu entries. You > must use the command `password' if you really want this command to > be useful (*note password::). > > This command is used in a menu, as shown in this example: > > title This entry is too dangerous to be executed by normal users > lock > root (hd0,a) > kernel /no-security-os > > See also *Note Security::. > > > under *Note Security*: > > Also, you can specify an optional argument to `password'. See this > example: > > password PASSWORD /boot/grub/menu-admin.lst > > In this case, GRUB will load `/boot/grub/menu-admin.lst' as a > configuration file when you enter the valid password. > What's the chances of a user remembering this password if they've forgotten the root password? If its set to a default then everyone knows it anyway and there's no used to having it in the first place... The idea (elsewhere in this thread) of having a recovery root (which would probably be a busybox based system) on /boot is a good one, but it shouldn't have a password either, just a really "stern" warning not to do something stupid like, say, remove shared libraries. Brian
Just to remind everyone that I suggested this solution mosly for what (in FC6) was a common occurence of a broken X display. I don't think single user mode should be _that_ easy to get to. -- Fedora Core 6 and proud -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
