From owner-freebsd-stable Tue Apr 3 12:31:58 2001 Delivered-To: freebsd-stable@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 4EC1737B71E; Tue, 3 Apr 2001 12:31:54 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1625 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 3 Apr 2001 14:30:12 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Tue, 3 Apr 2001 14:30:12 -0500 (CDT) From: James Wyatt To: freebsd-security@freebsd.org Cc: freebsd-stable@FreeBSD.ORG Subject: Re: su change? In-Reply-To: <20010403140935.F9618@pir.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 3 Apr 2001, Peter Radcliffe wrote: > Matthew Emmerton probably said: > > Just consider your friend lucky - doing similar things to the root account > > on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete > > reinstall - especially if it's running C2-level security. > > False. > > Solaris, certainly, would just require booting from cdrom, mounting / > and editing the password file. Why is booting from CDROM a better fix than booting single-user from the hard disk? The original poster wanted to avaoid a reboot *at all*. Solaris, AIX, and even FreeBSD can be booted from a CDROM nowadays, but I've recovered a SCO system that had a security-fault in it's trustware. Reinsall was the advised procedure, but there were enough security-db tools to recover the root account. On the high-security systems I've seen, a skilled tech can usually recover the system to allow operation, but the machine should be considered tainted and reinstalled ASAP if you ever want support from the vendor or peace from your auditors. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message