[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Passwordless root shell is offered when boot problem occurs.

Thank You for Your time and answer, Arno:

>> Hmm. I thought everybody has the same OS behavior in such
>> condition... And the problem here is only improper/default
>> configuration.
>That could very well be, but I haven't had a boot problem in years
>(well, except when trying out systemd). A standard Debian config should
>not offer a passwordless root shell unless you explicitly ask for it,

Oh, no! I didn't! :)

Do You have an idea where to look for that? - I have no ideas,

>Early boot messages should be found in /var/log/boot, but bootlogd
>seems very hit&miss on my systems. Filesystem checks are logged
>in /var/log/fsck.

Same here.

>It's not about emergency situations, although it certainly can be used
>as such. It's about accesss: if anyone has physical access to your
>machine, there are so many ways to access your system that it is silly
>to protect against one of them.

That's right. But it is just a link in a chain of undertakings to
protect the computer totally or, to make one's life harder. :)

On other hand, if we pursue this idea - that physical access makes a
host absolutely undefended, - we can let root account to be
password-less - for why worrying?

I understand the things You are speaking about - but I want ot all I
can to make it more secure - even having physical access to the host.

>So yes, protecting yourself from physical attacks by insisting on a
>root password is abnormal behaviour. How are you going to prevent an
>attacker from opening your PC and connecting the harddisk to his own

Probably, to supply a dynamite? :) - I think it goes beyond Debian
security, doesn't it?

>> - and in case I want to commit
>> what I have targeted, I have to develop the solution myself (that is
>> there is no a config. file that I might simply turn on the password
>> prompt for root shell in such cases)?
>In short, yes. If you really want to be that paranoid (and there are
>good reasons for it, especially on laptops), you should be looking at
>encryption as your solution (dm-crypt, truecrypt, bitlocker), not

Oh, OK... Thanks again.

Reply to: