Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Problem with second user with uid 0?
  • From: Christian Volkmann <dummy100@xxxxxxxx>
  • Date: Thu, 10 Mar 2005 23:20:27 +0100
  • Message-id: <4230C82B.8090307@xxxxxxxx>
Just an additional hint for the security.

Each access to the console is a security risk. Not only the boot from CD.

You can e.g. boot with the option "init=/bin/bash" if it's not restricted.
=> logged in with a root shell
=> remount / "read write"
=> ( do not forget to "sync" manually after changes to recover a password.)
...

I would prefer to have a one time used password placed in a signed envelope.
If it's broken after an emergency action you have to choose a new password.
But you have to find a secure place for this envelope also...



Best regards,

Christian


Mike Tierney wrote:
> I'm in a similar situation of having to leave root passwords in "a secure
> place" incase I am not around. :(
>
> Though in the fsck case there is an alternative I have just thought of, but
> the solution may be WORSE than the problem! If you want people to be able to
> do a fsck in an emergency, then you could always leave a "Rescue CD" with
> your boss... Then if anyone needs to actually do a fsck on a crashed server
> they can use the rescue disk to boot up and fsck the filesystem in question,
> and then reboot the server.
>
> The drawback to this is that you have to leave the server bootable from CD
> :(, which is in itself a security hole. On a positive note though, people
> don't just have the root password "on tap" and are hopefully less inclined
> to obtain the rescue disk and boot up as root "just for the hell of it".
>
> It's always good to have rescue disks handy anyway, just incase the
> root/boot file system gets corrupted/damaged. Like I experienced last week
> during a routine outage...
>
>

< Previous Next >
References