Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Problem with second user with uid 0?
  • From: Frank Steiner <fsteiner-mail@xxxxxxxxxxxxxx>
  • Date: Sat, 12 Mar 2005 00:09:36 +0100
  • Message-id: <42322530.8040507@xxxxxxxxxxxxxx>
Mike Tierney wrote

If anyone is *REALLY* determined they can
1) Cut the padlock
2) Pop the case and clear the BIOS password via jumpers

Right. So whenever a user has physcial access to the hardware, you can't
do much to prevent him from hacking into the system. And a user who
should recover a broken system when I'm off, should have access to the
server he needs to recover, so...

I think the question here is: How easy should it be for someone to get
root access? If users know the root password by default, they tend to
use it from time to time "to do a little fix or install a little program
because the admin has already gone home...", and that's what we don't
want.
In case sth. breaks while I'm not in the office, a pre-selected user
opens a sealed envelope. I see this when I'm back and change the password
again to avoid this user doing "a little fix or..." :-) Because this user
must have a key to the server room, I must trust him that he does not
open the server and resets the bios to break in. And if I trust him
this way, I can also trust him that he does not install a backdoor
after opening the envelope and working as root to fix the server.

That's the deal. Nothing more. And all I want to reach is to give
this user a different root password than my usual root password,
so that I don't have to change mine after the envelope was opened.


3) Change the BIOS back to booting from CDROM and pop in a boot disk
4) Not sure how they'd deal with the encrypted disks! Maybe get a job as a
cleaner and install a keystroke logger on the keyboard a few weeks
beforehand...?

So all of a sudden leaving the root password in a sealed envelope that's
stored in a locked filing cabinent doesn't sound so bad after all!!!!

Especially not for a chair with 10 people where we all know each other
very well and everyone knows where to get the key to enter the server
room :-)

--
Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr 17 Phone: +49 89 2180-4049
80333 Muenchen, Germany Fax: -4054
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *


< Previous Next >
References