On Mon, 2005-10-10 at 19:34 +1000, SEKINE tatz Tatsuo wrote: > From: Felipe Alfaro Solana <felipe.alfaro@xxxxxxxxx> > Date: Mon, 10 Oct 2005 11:02:45 +0200 > > > I agree that having physical access to the machine could make easy for > > an intruder to get into it, but sometimes the intruder has limited > > physical access, that is, the intruder can't steal the hard drive or > > the machine, only sit at the keyboard, restart the machine into > > single-user mode and reset the root password (and yes, I know I we can > > use a GRUB password). > > If the GRUB password isn't used to protect the machine, the > boot parameter is editable. > > In that case, the intruder can alternate "init" program with > /bin/sh, putting "init=/bin/sh" into the boot parameter. It > means that modified /etc/inittab can not protect the machine > because the file is read by /sbin/init (default "init" > programme). Right. I think the point, Felipe, is that adding a password to single-user mode gives the admin a *FALSE* sense of security. If you need that level of security, you need MORE than that amount of security, if you get my meaning. The only acceptable alternative is to physically secure the machine. This might be a locked room or a locked rack. If the security of a machine is a concern, no unauthorized person should be able to just walk up to it and reboot it. I would think, however, that this sort of topic, and additional security measures, could and should be covered in a more comprehensive security guide. As Rahul mentioned, there is a Hardening Tutorial in CVS. Maybe you should offer to participate with the author to bring this document up to snuff. As I recall, no editor has yet stepped up to work on it. Stuart has started some security material on the wiki as well. Instead of having several efforts floating around in various forms, maybe the three of you (Stuart, Felipe, and Charles Heselton, author of the hardening tutorial) can put your heads *together* and work on something more comprehensive! Three heads are better than one, and all that... -- Paul W. Frields, RHCE http://paul.frields.org/ gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717 Fedora Documentation Project: http://fedora.redhat.com/projects/docs/
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-docs-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-docs-list
