[2110] in RedHat Linux List
Re: Is "linux single" a security concern?
daemon@ATHENA.MIT.EDU (Otto Hammersmith)
Thu Oct 31 17:24:54 1996
From: Otto Hammersmith <ohammers@cu-online.com>
To: redhat-list@redhat.com
Date: Thu, 31 Oct 1996 16:21:47 -0600 (CST)
In-Reply-To: <199610312136.QAA00435@hexagram.brickandivy.com> from "Chris Powell" at Oct 31, 96 04:36:58 pm
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
Chris Powell wrote:
>
> I booted my box to try out the "linux single" lilo option, and I'm concerned
> that the resulting unprotected root shell is a fairly serious security
> concern.
>
> Not all machines can be physically secured (e.g. in a large office building,
> perhaps) and it seems that it would be a trivial way to gain root access to
> any Linux box.
>
> Am I misunderstanding something fairly obvious here?
Nope, it's a pretty big hole. But pretty much no matter what, once
someone has physical access to the machine, it's gone.
I suppose it could do what Solaris does... ask you for the root
password before entering single user mode. (well, you can configue
that in the BIOS) But even that wouldn't do much against a boot disk.
To put it simply, I've broken into C2 certified OSes without even a
clue as to the password of any of the accounts... it wasn't that
difficult. IMO, whatever you do to pacth the hole of single user
mode, just gives you a false sense of security.
--
-Otto
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
________________________________________________________________________
http://www.redhat.com/RedHat-FAQ http://www.redhat.com/RedHat-Errata
http://www.redhat.com/RedHat-Tips http://www.redhat.com/mailing-lists
------------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe redhat-list-request@redhat.com < /dev/null
