On Sat, 2007-04-21 at 22:51 +0300, Linas Žvirblis wrote: > Greg Folkert wrote: > > >> Keyboard-only access (where the hardware is in a secure cage) when > >> the attacker does not know the root password leaves you in the same > >> position as if he were telneting in. > > > > VERY FEW places do this anymore. And in any case I said "touch the > > keyboard and have physical access to the machines internals" > > I do realize that you can break any security in a certain amount of > time, but that is really not the point. The point is that the installer > option is misleading. It says that it will disable root logins, and does > exactly the opposite - it enables passwordless root login. Okay. then, do a test install with root disabled, Then try to login from the console as root. Won't work. What you are trying to intimate is that when booting into single user mode you just get right in. Okay, so if you *ARE* at the console and you are booting... what is to stop you from doing a modified boot where "init = /bin/sh" Hmmm. Didn't think about that huh? > I also strongly disagree that this is not a security concern. It is like > not locking your car because it is easy to break a window and open the > door from inside. After all, there is nothing you can do to prevent > someone from getting into your car if one can get near it. I never typed that is wan't a security concern. I merely point out that MANY small to medium sized businesses haven't taken that time nor the consideration that it is a real problem. And remember, locks on keep honest people honest. Same thing with this whole thing. Best practices demand you have locks and use them. Root disabled removes a lock and bolts that particular particular door shut. And the analogy about a car and its locks... If the person is really interested in your car and it is behind bars or in a cage/locked down facility... what really matters is the physical access being removed. But once in there he/she only has a limited amount of time before the "authorities" take measures. Come on, think with me on this, don't let those piss-green colored glasses color your thinking habits. -- greg, greg@gregfolkert.net Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup
Attachment:
signature.asc
Description: This is a digitally signed message part