Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Sep 2004 08:23:19 -0700
From:      "Keith Baldwin" <keith@southo.net>
To:        <freebsd-isp@freebsd.org>
Subject:   RE: funny customers
Message-ID:  <029901c4a0b8$17069330$f501a8c0@southog2bwobmh>
In-Reply-To: <65077.62.242.151.142.1095864567.squirrel@mailbox.wingercom.dk>
next in thread | previous in thread | raw e-mail | index | archive | help 

Didn't see it posted yet so here.

>From http://www.daemonnews.org/200108/security-howto.html in the Local
Security section:

"Lets begin with /etc/ttys. Open it up in your favorite editor and find the
console line:

console none			unknown off secure

Change "secure" to "insecure", so the user is asked for the root password
when going to single user mode. Be warned this will also make recovering
lost root passwords more difficult, But it will prevent someone from gaining
root access to your machine locally provided they do not have a boot disk."

Regards,
Keith


-----Original Message-----
From: owner-freebsd-isp@freebsd.org [mailto:owner-freebsd-isp@freebsd.org]
On Behalf Of Per Engelbrecht
Sent: Wednesday, September 22, 2004 7:49 AM
To: freebsd-isp@freebsd.org
Subject: Re: funny customers

Hi Dennis

>
> On Wed, Sep 22, 2004 at 11:45:13AM +0200, Per Engelbrecht wrote:
>> But right now I need a way to bypass (I don't think it's possible)
>> the single_user mode root login feature.
>
> Just an idea (as it doesn't work ;) ...
>
> A trick known from linux is to boot the kernel with /bin/sh instead
> of /sbin/init. You'd do "set init_path=/bin/sh" for that in the
> loader. This would bypass the usual startup and thus you won't be
> asked for the password.
>
> However, i just tried this and it doesn't work. The sh immediately
> exists and consequently the kernel panics. Don't know what's the
> problem there...

Hmm .. I'm not sure why, but in FreeBSD both csh (default root
shell ... *&#@$!) and sh are linked static and tampering with these
from the boot-process through /sbin/init (which is the last part of
the boot-process anyway) is something I wouldn't do.
Creative thinking though :)
Thank you Dennis.

respectfully
/per
per@xterm.dk


>
> - D.


_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?029901c4a0b8$17069330$f501a8c0>