| View previous topic :: View next topic |
| Author |
Message |
elapointe
n00b
Joined: 04 Apr 2004
Posts: 34
|
 Posted: Sat Sep 18, 2004 2:18 pm Post subject: Root access security |
 |
|
I just finished to install Gentoo.
I have a question about security and integrity of a linux system with the root account.
I dont understand how my system can be secure if anybody can chroot my partition and passwd my root account ???
Maybe i misunderstand something ?
Thanks for your help |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55015
Location: 56N 3W
|
| Posted: Sat Sep 18, 2004 2:26 pm Post subject: |
|
|
elapointe,
Only the users in the wheel group can su to become root.
Normal users only have read ans write access to /home/<username>
So they can only trash their own accounts.
To passwd the root accound yo uhave be either be root already or show you know the old root password.
During the install, there is only the root user. You need to be root (within the chroot) to do the install.
After the install, your rights depend on who you log in as.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
elapointe
n00b
Joined: 04 Apr 2004
Posts: 34
|
| Posted: Sat Sep 18, 2004 3:44 pm Post subject: |
|
|
OK ! but is it possible that someone can chroot a existing installed gentoo linux partition with a live cd !
mount /dev/hdaX /mnt/gentoo
chroot /mnt/gentoo /bin/bash
passwd
...
Thanks for your answer |
|
| Back to top |
|
|
Anime_Fan
Guru
Joined: 01 Jul 2003
Posts: 366
Location: Linköping, Sweden
|
| Posted: Sat Sep 18, 2004 3:50 pm Post subject: |
|
|
| NeddySeagoon wrote: | | After the install, your rights depend on who you log in as. |
Except it takes me very little time to either:
Create a boot floppy capable of chroot'ing you root partition
Create a boot cd-rom capable of chroot'ing you root partition
Create a PXE-capable server, and scripting an initrd that changes your root password on your next reboot if you have PXE enabled and set at priority above HDD boot
Edit your grub.conf, making the default boot init /bin/bash
[...]
_Most_ of the above require physical access to the machine, however (and PXE not commonly being enabled by default).
It is however possible to have a _small_, encrypted root partition, if you want to learn how create custom initrd's.
/bin, /etc and /sbin would all fit in a 100MB partition, but an encrypted root would require either a passphrase be entered at every boot, or having something like a USB device with the passphrase stored in a textfile be inserted at boot.
Though I would recommend not having a plaintext passphrase lying in a textfile of a USB stick. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55015
Location: 56N 3W
|
| Posted: Sat Sep 18, 2004 3:52 pm Post subject: |
|
|
elapointe,
If they have physical access to the box - yes.
They could also start it in single user mode.
Anyone who has phyisical access to your box can clone your HDD and look at your stuff at their leasure. They could just steal your HDD.
If this worries you, remove the mouse, keyboard, CD-ROM, floppy drive and video card. The box will still boot and serve remote sessions. This makes it more difficult but not impossible.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
|
Networking & Security
