[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: runlevels

Gordon Matzigkeit <gord@trick.fig.org> wrote:

 >> 1) It is possible to boot into the rescue shell without a
 >> password.  I disagree with the idea of patching Hurd init to
 >> require a password to get into rescue mode.  If you want
 >> protection, then let's change GRUB so that it refuses to boot Mach
 >> in anything but automatic mode, unless you enter a password.

 TB> At the FSF we found such a feature very handy.  It raises the bar
 TB> a bit from randoms who want to be a pain.  It should be a
 TB> strictly optional and non-default feature.  But I don't want grub
 TB> to have crypt in it, or to depend on the format of /etc/passwd.
 TB> So I think this belongs in init, as an optional feature, or by
 TB> changing the "shell" started at single-user ("rescue") startup.

> The kind of password I was talking about was a simple `boot
> administrator password', like PC BIOSes have right now, not a Unix
> password.

You could fix up the GRUB password feature easily enough.  If the file
is unreadable by any other than root, then your problem is essentially
solved.  This combined with disabling floppy booting in the BIOS gives
you a relatively secure system for lab-type use.

    Erich Stefan Boleyn                      \_         <erich@uruk.org>
  Mad Scientist  --  CyberMuffin               \__    http://www.uruk.org/
  Motto: "I'll live forever or die trying"        ---------------------------

Reply to: