From owner-freebsd-questions@FreeBSD.ORG Wed Mar 4 22:53:12 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 415F77FA for ; Wed, 4 Mar 2015 22:53:12 +0000 (UTC) Received: from mail-lb0-x236.google.com (mail-lb0-x236.google.com [IPv6:2a00:1450:4010:c04::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A255DEA0 for ; Wed, 4 Mar 2015 22:53:11 +0000 (UTC) Received: by lbjf15 with SMTP id f15so19625199lbj.2 for ; Wed, 04 Mar 2015 14:53:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to :content-type; bh=uxc9Oe4vcPRLVhxPi8XNb5WLNNV3Vv9EZzoA19Rb6j0=; b=ucwxDH61z88xsuhp0l3f9g+AA1AYqcCi0O1AS5Tg7xZHHfiiJda3KyXTx8jP9Ax+F5 MRrLHJ3cTTWX9Md3U5exxh/1KGn7QWCinVZXFomw/38oHtDQHqafxhFQl3ylN8k9wb1M xaSqH+vU3Qd8I9maDyZPnVdGpDcFjRkmi2xm//UkcClClPLfbsfW3B3vaLR2KiAy0a+o /QoGJ96fnoHbR6RH6UPSz8CeRXNJKQvaSPjZ7JO8OXRQQNcAXyxmE3DrT2posZ70Khmk ExcaAoHWZZdX64hQQlsvSFkQIXIHuGEnoxOMcFRPfWhSNcAcHVxes3uraX3HK35DKtrr wgIg== X-Received: by 10.112.110.231 with SMTP id id7mr5547104lbb.28.1425509589493; Wed, 04 Mar 2015 14:53:09 -0800 (PST) MIME-Version: 1.0 References: <54F56A83.3000404@gmail.com> <54F57CD9.2000707@gmail.com> <54F5AF25.7000303@qeng-ho.org> <54F71117.7050606@gmail.com> <54F71E2F.1000705@qeng-ho.org> <54F73455.5080509@gmail.com> <54F7351A.4010900@gmail.com> <54F74B10.7090901@qeng-ho.org> From: Daniel Peyrolon Date: Wed, 04 Mar 2015 22:53:09 +0000 Message-ID: Subject: Re: Check root password changes done via single user mode To: Arthur Chance , zep , freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 22:53:12 -0000 Hi everyone, What about patching the actual function used to store the password? Another option would be to write a rootkit and hook it to the syscall used to open the password file. It it's written with write permissions, just let that know to the system owner somehow. (sysctl, writing a file somewhere...) Besides, being a kernel module itself, it would be able to detect if the system is in SUM, and thus activate itself automatically, if I'm not wrong. Of course, that could be avoided simply by mounting the filesystem in a live system and changing the password there. Once again, the solution to that is encryption. Someone will be able to correct me and provide us with more information, but that's as far as I can get on this. El mi=E9., 4 de marzo de 2015 a las 19:12, Arthur Chance () escribi=F3: > On 04/03/2015 16:38, zep wrote: > > > > > > On 03/04/2015 11:35 AM, Ricardo Mart=EDn wrote: > >> At this point you might want to review the original post again. > >> It's a simple and specific request for comments about whether if its > >> feasible to somehow flag a root's password reset in SUM. > >> No more, no less. > >> > > > > > perhaps you should review the responses. the short answer is 'sort > > of, but not really the way you seem want to; also it's a bit of a fool'= s > > errand and whoever pointed you down this path doesn't like you very > much'. > > > > I'd agree with that. :-) > > If someone has simply changed the root password and done nothing else > it's trivial to detect that it's changed - the daily periodic password > backup will do that and it's enabled by default. You might also be able > to decide whether it happened during multi- or single- user mode based > on the modification time of the password file. > > If the person who changed it doesn't want you to find out it's changed, > you are going to have a learning experience. > > -- > Those who do not learn from computing history are doomed to > GOTO 1 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org"