Date: Tue, 15 May 2012 01:40:11 -0700 From: mahdieh salamat <mahdieh.salamat@gmail.com> To: freebsd-security@freebsd.org Subject: Fwd: Single user mode Message-ID: <CAL5m1BtpNomf8qUONOHf2i-jPyRrPK7ZRvH3nsePStZuEQ_UmQ@mail.gmail.com> In-Reply-To: <CAL5m1Bsu7M9qZ3xt7U4H9v-jBDWdf-q1M=Y=v5NTy9QPGcLORQ@mail.gmail.com> References: <CAL5m1BsnURTXsZJEkF9sR-3wsVRHkOto-CuCSuJCgH2yivNGPg@mail.gmail.com> <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> <CAL5m1BtxL_=jGKE=xbKqJxaxnuscid_5LJXwPNpZz8AEmpQuaA@mail.gmail.com> <40e269c44ec592d0ce3e2d85fd8a032d@vahid-shokouhi.net> <CAL5m1Bt2RQ_%2BW5qV9TN4G5VtCAj8VD4UkLCTwQR2OMSyi2iVTA@mail.gmail.com> <c8a82efd162ce1d32a9a05ed6d78557e@vahid-shokouhi.net> <CAL5m1Bsu7M9qZ3xt7U4H9v-jBDWdf-q1M=Y=v5NTy9QPGcLORQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks all,I have an other question.certainly you see this message in startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for command prompt." after see it if press any key you enter to an other mode and if you type '?' you can see the lists of commands.I want to remove this mode,It's so important that a user can't accss to this mode. Who can help me? Thanks ---------- Forwarded message ---------- From: mahdieh salamat <mahdieh.salamat@gmail.com> Date: Mon, May 14, 2012 at 4:29 AM Subject: Re: Single user mode To: Vahid Shokouhi <vahid@vahid-shokouhi.net> I really thank you,it's a really perfect forum,I searched more and more to find a persian website about FreeBSD,now i find it.Thank you On Mon, May 14, 2012 at 2:33 AM, Vahid Shokouhi <vahid@vahid-shokouhi.net>wrote: > You are most welcome. > > [I don't know if you know this place, assuming you don't know, I let you > know] : > > www.imenpardis.com > > This site which is actually for "Imen Pardis" company, is owned by > Mr.Babak Farrokhi, who is a famous port-maintainer in freeBSD project (The > only person in the middle east), and author of a great book on FreeBSD > administration. He is a guru in all Unix family: Unix, Solaris, BDS, Linux > ; you can google his name and get some info about him. He is a well-known > Unix expert in the world. > You can join its forum and can ask your question and also help others > solve their problem. I don't know all people in the forum, but as > Mr.Farrokhi is always supportive and available to answer your question, you > can get the right answer from the right person. If I know one word in > FreeBSD, he knows thousands.. > > Regards > > > > > > > > > > On 2012-05-14 13:08, mahdieh salamat wrote: > >> thanks dear vahid,it was so useful for me.I will edit /etc/tty. >> Thanks alot >> >> On Sun, May 13, 2012 at 11:58 PM, Vahid Shokouhi >> <vahid@vahid-shokouhi.net [1]> wrote: >> >> Hi >>> >>> Well, there are 2 approaches to any machine security. First, You >>> have a fresh machine and it's supposed to be only for you; second, >>> you are admin of a machine which others have access to machine for >>> their work purpose. Your question seems close to first scenario. >>> >>> As I wrote before, yes it's possible (by default) that any user >>> gain access to your machine resources in single-user mode; so we >>> talked about editing /etc/tty. The other place which needs to be >>> take caring of, is /ETC/LOGIN.ACCESS ; every time a user wants to >>> >>> log in, FreeBSD check this files and it's rules. By default there >>> >> is >> >>> NO rule defined which means NO restriction to log in. You can >>> >> config >> >>> this file in 2 ways : [like switch and router's ACL] ; you can use >>> "_permit-based_" rules - in which you first permit specific user(s) >>> and then deny others. And you can _"deny-based_" rules - in which >>> >>> you deny ALL and then permit some one. You should be familiar with >>> syntax and format of this file, for example it uses "+" to give >>> access and "-" to reject access. For example : >>> >>> >>> >>> The following is "permit-based"; it gives "wheel" group console >>> access and rejects the others (ALL). note the "+" & "-" >>> >>> +:WHEEL: CONSOLE >>> -:ALL:CONSOLE >>> >>> >>> The following is "deny-based". note the syntax that how "permit" is >>> given: >>> >>> -:ALL EXCEPT WHEEL: CONSOLE [EXCEPT is permit definer] >>> >>> >>> >>> >>> The second format is more preferred and recommended it is both >>> short and somehow more secure. >>> >>> >>> >>> >>> >>> Anyway, this is for 1st situation that the machine is only yours; >>> and you can protect your machine with implying some physical-access >>> rules. But in real world you have to deal the second condition. >>> >> Then >> >>> you have to focus on many things: limiting users to use any >>> >> resource >> >>> by editing /ETC/LOGIN.CONF , the permission of files, the flags, >>> >>> clearing your machine from unknown/unnecessary users (daemons), >>> using jail and so on.. >>> >>> >>> >>> I hope it is helpful for you and give you some hints on securing. >>> >>> >>> >>> If there is any question, please feel free and don't hesitate to >>> ask. >>> >>> >>> >>> Regards >>> >>> Vahid Shokouhi >>> >>> >>> >>> >>> >>> >>> >>> On 2012-05-14 09:53, mahdieh salamat wrote: >>> >>>> Thanks for yor help, it was so useful, I want to know that when a >>>> >>> user >>> >>>> is using a machine and he/she doesn't has root's password, can >>>> >>> he/she >>> >>>> access to it? for example by single user mode or other modes? >>>> >>>> On Sun, May 13, 2012 at 6:33 AM, Vahid Shokouhi >>>> <vahid@vahid-shokouhi.net [4]> wrote: >>>> >>>> Hi >>>>> Yes, it is possible to gain access via single-user, but >>>>> single-user mode is for root user to configure something as he >>>>> likes; but if the machine is accessible for others, you need to >>>>> >>>> edit >>>> >>>>> "/etc/tty" to prompt for a password in single user mode, >>>>> >>>> although >>> >>>> keep in mind anyone with physical access to the machine can >>>>> >>>> still >>> >>>> retrieve your data through various methods. >>>>> in /etc/tty note "secure" term which actually has different >>>>> meaning. It means that you consider, for example "console" as a >>>>> secure mode; so you have to change it to "insecure". >>>>> After rebooting and entering single user mode, you will be >>>>> prompted for a password to get to the shell prompt. >>>>> >>>>> On 2012-05-13 17:04, mahdieh salamat wrote: >>>>> >>>>> Hi everybody. I have a question about single user mode in >>>>>> FreeBSD. Security >>>>>> is so important for me. I want to know that if someone don't >>>>>> know my root's >>>>>> password can access to it? In other words in our FreeBSD we >>>>>> don't have >>>>>> FreeBSD boot loader menu, we delete it for our users becouse of >>>>>> security. I >>>>>> want to know is there any other way except boot loader menu for >>>>>> our user to >>>>>> access to our root's password? >>>>>> Thanks >>>>>> ______________________________**_________________ >>>>>> freebsd-security@freebsd.org [1] mailing list >>>>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security<http://lists.freebsd.org/mailman/listinfo/freebsd-security>[2] >>>>>> To unsubscribe, send any mail to >>>>>> "freebsd-security-unsubscribe@**freebsd.org<freebsd-security-unsubscribe@freebsd.org>[3]" >>>>>> >>>>> >>>> >>>> >>>> Links: >>>> ------ >>>> [1] mailto:freebsd-security@**freebsd.org<freebsd-security@freebsd.org> >>>> [2] http://lists.freebsd.org/**mailman/listinfo/freebsd-**security<http://lists.freebsd.org/mailman/listinfo/freebsd-security>; >>>> [3] mailto:freebsd-security-**unsubscribe@freebsd.org<freebsd-security-unsubscribe@freebsd.org> >>>> [4] mailto:vahid@vahid-shokouhi.**net <vahid@vahid-shokouhi.net> >>>> >>> >>> >>> >> >> >> >> Links: >> ------ >> [1] mailto:vahid@vahid-shokouhi.**net <vahid@vahid-shokouhi.net> >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAL5m1BtpNomf8qUONOHf2i-jPyRrPK7ZRvH3nsePStZuEQ_UmQ>