On Mon, 10 Oct 2005 esm@xxxxxxxxx wrote: > On Sun, Oct 09, 2005 at 07:22:43PM -0400, Tom Diehl wrote: > > Because requiring a passwd on a box that you can sit in front of and take > > apart is STUPID!! > > Invalid assumption; one can have access to the console without having > direct physical access. Think IP-based KVMs, where you can go so far as > being able to power cycle a system without being able to put hands on the > machine. Serial consoles are a similar situation. Well, I will admit I had not thought of that case. :-) In that case they can still play with grub and bypass the root passwd at boot time, so how does that help? I am sure we could argue different corner cases on this forever. :-) I hope you will agree this is a corner case though. > > Requiring a password for single-user login allows for a breach of KVM or > serial console server security without opening the attached systems to > attack. Grub passwords only solve half the problem (modification or misuse > of the bootloader); single-user passwords prevent the attacker from taking > advantage of a hardware fault (perhaps one that they triggered). Both are > necessary to properly secure the boot process when the console can be > reached over a network or from a shared/less-secured console area. How does a grub passwd not solve the problem. As someone else already mentioned if you can modify the bootloader you can run init=/bin/sh from the grub command line and bypass the passwd checks anyway. > Granted, this is only an issue for data-center environments generally. I > just wanted to point it out as a use case that I'm familiar with. But in a data center environment you already control who is sitting in front of the console. If you do not then you have other problems. I will admit that there are exceptions to every rule but in the majority of cases booting to RL 1 without a passwd is the least of your problems, if you are worried about security. My whole point to this goes back to the original concept of "If you have physical access to the machine it is not secure" I will argue that a grub passwd does more to protect from the casual user trying to gain root access, than requiring a passwd for RL-1. It is just too easy to bypass. If as others have argued the would be cracker only has access to the console but no access to the physical machine then a grub passwd or simply disabling <ctrl><alt><del> is the way to go. If they can't reboot it they will never see grub to play with it. Regards, Tom Diehl tdiehl@xxxxxxxxxxxx Spamtrap address mtd123@xxxxxxxxxxxx -- fedora-docs-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-docs-list
