Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 Jun 1999 11:42:09 -0700
From:      "Jackson, Douglas H" <douglas.h.jackson@intel.com>
To:        freebsd-security@FreeBSD.ORG
Cc:        "'brooks@one-eyed-alien.net'" <brooks@one-eyed-alien.net>, Anil Jangity <aj@entic.net>
Subject:   RE: kill!!!
Message-ID:  <0428AD6295E1D211AC4400A0C969E8A236F185@orsmsx43.jf.intel.com>

next in thread | raw e-mail | index | archive | help
There are a number of ways to deal with a lost root password.

You can always boot to single user mode with no password. I guess a drawback
is that it requires a bit of down time while you do the reboot, and change
the password. But if your system is so insecure that you are loosing your
root passwords, you probably have lots of downtime anyway.

You could also use su2, which would allow you to have a number of different
passwords which each allow you root access.  If you're loosing track of the
current root because multiple people are all using su from time-to-time,
then this is probably a better bet for you anyway.

Doug

> -----Original Message-----
> From: brooks@one-eyed-alien.net [mailto:brooks@one-eyed-alien.net]
> Sent: Wednesday, June 30, 1999 11:30 AM
> To: Anil Jangity
> Cc: freebsd-security@FreeBSD.ORG
> Subject: Re: kill!!!
> 
> 
> On Wed, 30 Jun 1999, Anil Jangity wrote:
> 
> > I was wondering, is it possible/safe to make kill(1) to not 
> allow it to
> > kill a root process run from the console? Only the console 
> should be able
> > to kill those processes and no one else. 
> > 
> > The reason is, I leave a root login on the console at all 
> times... just
> > incase something stupid happens like the passwd is changed 
> for root or you
> > can no longer su to root etc because of a compromise or 
> whatever, but if
> > you have a logged in root already, it'll be easy to fix those. I was
> > thinking making kill not be able to kill the shell after it 
> was hacked
> > etc. <rambling>
> 
> If you really wanted to, you could probalb implement that 
> feature, but I
> think it would require a higher secure level.  In reality, 
> it's probably a
> waste of time for your purposes.  See the commit message 
> below (this was
> also comitted to the RELENG_3 branch):
> 
> --<cut>--
> peter       1999/04/03 20:36:50 PST
> 
>   Modified files:
>     libexec/getty        gettytab.5 gettytab.h init.c main.c 
>   Log:
>   Add an 'al' (autologin username) capability to 
> getty/gettytab.  This is a
>   damn useful thing for using with serial consoles in 
> clusters etc or secure
>   console locations.  Using a custom gettytab entry for console with
>   an entry like 'al=root' means that there is *always* a root 
> login ready on
>   the console.  This should replace hacks like those which go 
> with conserver
>   etc.  (This is a loaded gun, watch out for those feet!)
>   
>   Submitted by:  "Andrew J. Korty" <ajk@purdue.edu>
> --<cut>--
> 
> -- Brooks
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0428AD6295E1D211AC4400A0C969E8A236F185>