Date: Mon, 14 May 2001 14:02:15 -0400 (EDT) From: Rob Simmons <rsimmons@wlcg.com> To: Eric Anderson <anderson@centtech.com> Cc: "Oulman, Jamie" <JOulman@iphrase.com>, freebsd-security@freebsd.org Subject: Re: nfs mounts / su / yp Message-ID: <Pine.BSF.4.21.0105141358540.43455-100000@mail.wlcg.com> In-Reply-To: <3B0015E5.2E1AED1B@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 You could set the console to insecure in /etc/ttys. That way single user mode will ask for the root password. You still can't prevent someone from booting with their own floppy disk and making changes that way. I think the only way to prevent that is to use an encrypted filesystem of some sort. Robert Simmons Systems Administrator http://www.wlcg.com/ On Mon, 14 May 2001, Eric Anderson wrote: > If a user reboots their machine, goes into single user mode, and changes > the local root password (and adds their username into the wheel group of > course), then boots into multiuser mode, they can su to root, then su to > any NIS user they desire, and do malicious things as that user. su'ing > from root to any other user never asks for a password, so login.conf > isn't used (right?).. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7AB2qv8Bofna59hYRA0ebAKCQ9R1wLoemlWAuEdplqcSMcY12IQCfVH0B 8SkJHNs8J3aEYZ8dk27La2k= =Qb9E -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105141358540.43455-100000>