Mailinglist Archive: opensuse (3225 mails)
| < Previous | Next > |
Re: [SLE] Re: security hole?
- From: Ben Rosenberg <ben@xxxxxxxxx>
- Date: Sun, 14 Jul 2002 18:15:53 -0700
- Message-id: <20020715011553.GJ21018@xxxxxxxxx>
* Lee Mavrogenis (leemav@xxxxxxxxx) [020714 16:02]:
::Nevertheless (and here is where I respectfully disagree) I still think that
::with respect to a rescue/boot disk unless the root password is actually
::known it should not be allowed to be "reset" under any circumstances. Again
::this is an opinion. The down side is that if you forget the root password
::you will need to reinstall the OS--I think that is appropriate.
Yes, but this is possible with every OS. I wish I could express how
often our developers forget their root passwds and user passwds on their
Sun boxes..it would make your head spin. It's as easy as this to get
into a Sun box if you have physical access....
1. stop + a then boot cdrom -s
2. Once booted you do this 'mount -o rw /dev/dsk/c0t0d0s0 /a
3. vi /a/etc/passwd
As Emeril would say *BAM* the box is rooted. ;) If you have physical
access...heck even if you don't. If the boxes are on terminal servers if
you get access to the machine that's the admin for the terminal servers
you've got root on every box on that terminal server. :)
Heck I have a boot disk with a Linux kernel that has NTFS support built
in and I can boot any WinNT and Win2K server and reset the admin passwd.
It's damn easy. *laugh*
A server is as secure as the air between the keyboard and their made
it..and 8-10 times they will miss something. :)
Remember I'm not digging on you..just letting you know that the SuSE
rescue system isn't anymore of a security risk that any other..it's
actually saved my butt a few times. :)
Cheers!
-=Ben
--=====-----=====--
mailto:ben@xxxxxxxxx
--=====--
Tell me what you believe..I tell you what you should see. -DP
--=====-----=====--
::Nevertheless (and here is where I respectfully disagree) I still think that
::with respect to a rescue/boot disk unless the root password is actually
::known it should not be allowed to be "reset" under any circumstances. Again
::this is an opinion. The down side is that if you forget the root password
::you will need to reinstall the OS--I think that is appropriate.
Yes, but this is possible with every OS. I wish I could express how
often our developers forget their root passwds and user passwds on their
Sun boxes..it would make your head spin. It's as easy as this to get
into a Sun box if you have physical access....
1. stop + a then boot cdrom -s
2. Once booted you do this 'mount -o rw /dev/dsk/c0t0d0s0 /a
3. vi /a/etc/passwd
As Emeril would say *BAM* the box is rooted. ;) If you have physical
access...heck even if you don't. If the boxes are on terminal servers if
you get access to the machine that's the admin for the terminal servers
you've got root on every box on that terminal server. :)
Heck I have a boot disk with a Linux kernel that has NTFS support built
in and I can boot any WinNT and Win2K server and reset the admin passwd.
It's damn easy. *laugh*
A server is as secure as the air between the keyboard and their made
it..and 8-10 times they will miss something. :)
Remember I'm not digging on you..just letting you know that the SuSE
rescue system isn't anymore of a security risk that any other..it's
actually saved my butt a few times. :)
Cheers!
-=Ben
--=====-----=====--
mailto:ben@xxxxxxxxx
--=====--
Tell me what you believe..I tell you what you should see. -DP
--=====-----=====--
| < Previous | Next > |