[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: to allow root logins or not?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greg Folkert wrote:

> Okay. then, do a test install with root disabled, Then try to login from
> the console as root.
> 
> Won't work.

Yes, with "normal" runlevels.

> What you are trying to intimate is that when booting into single user
> mode you just get right in.

Well, yes. I recently did a clean install with root logins disabled.
When I booted into single user mode it said something about root account
being disabled and gave me a root prompt. Is this not the expected behavior?

> Okay, so if you *ARE* at the console and you
> are booting... what is to stop you from doing a modified boot where
> "init = /bin/sh"
> 
> Hmmm. Didn't think about that huh?

I did. I have grub password-protected.

> And the analogy about a car and its locks... If the person is really
> interested in your car and it is behind bars or in a cage/locked down
> facility... what really matters is the physical access being removed.
> But once in there he/she only has a limited amount of time before the
> "authorities" take measures.

Maybe my analogy is not the best one. But this is a security concern. So
is passwordless BIOS setup, and so is passwordless bootloader. From what
I understand, we both agree on this.

My point is that the installer option does not do what it says. It makes
machine more secure once running, but makes it more vulnerable at boot
time, and it is not obvious that this will happen.

> Come on, think with me on this, don't let those piss-green colored
> glasses color your thinking habits.

Green does not really suit me.

I realize that it is trivial to fix. I can password-protect grub, and
remove single user mode from the menu. I can also set an insanely
complex password for root user, and never use it.

I never fully understood why Debian does not default to most secure, but
this is not what I am talking about right now. I am merely pointing out
what I consider to be a problem with the installer.

Please do not take my words as a personal attack. That was never my
intention.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGKpJAztOe9mov/y4RAv2MAJkBIu5pauWlHiu3T5gaZeTcOcqmZACfamAi
DKeh4jy0KU0GOJQ4tFaXa/E=
=EbcG
-----END PGP SIGNATURE-----
Reply to: