linuxsingle

linuxsingle

[Ankit Jain]

ifanybody can tell me how to make changes in linux so
that a person cannot move to linux single mode in any
condition . not even from bootable CD

thanks

ankit

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: linuxsingle

[Jeff Woods]

At 4/10/2005 05:20 AM +0100, Ankit Jain wrote:
>ifanybody can tell me how to make changes in linux so that a person cannot 
>move to linux single mode in any condition . not even from bootable CD

Install Linux on your server, encase it in acrylic, lock it in a really 
good safe, weld the seams, encase in concrete, then (and you get your 
choice of options here) either (1) drop it into the Mariana Trench, or (2) 
hide it in a secret cavern on the dark side of the moon, or (3) drop the 
whole thing into the sun.  Obviously, the latter two are more expensive but 
they are more secure; after all, someone might find the server at the 
bottom of the ocean and go to the trouble to extract it from the 
hermetically sealed container.  As everyone knows, once a black hat has 
physical access to the server they can do whatever they like.  (You 
therefore might want to use a one-time pad cipher to encrypt the contents 
of the system, but of course it'll take some time to hand-key all that key 
length unless your data to be encrypted is very tiny.)

Practical security must be a compromise between need to access the data 
(and backup and recovery) and need to keep unauthorized people from 
accessing the data.  The way you keep single-user mode from getting 
everything is to physically secure the system.  How much physical and 
software security you need depends on the situation, but completely 
eliminating single-user mode (or the effective equivalents of booting from 
other media or moving the data storage to another machine) is not the 
solution.  Locking the hardware away from malicious and/or careless people 
is how to handle this part of security.

--
Jeff Woods <kazrak+kernel@cesmail.net> 

Re: linuxsingle

[Jim C. Brown]

On Sun, Apr 10, 2005 at 05:20:36AM +0100, Ankit Jain wrote:
> ifanybody can tell me how to make changes in linux so
> that a person cannot move to linux single mode in any
> condition . not even from bootable CD
> 
> thanks
> 
> ankit
> 

To disable single mode, you basicly have to patch /sbin/init. (This is actually
easier than it sounds, if u can get your hands on init source code.) You might
be able to get away by disabling runlevel 1 in /etc/inittab (or making it
the same as runlevel 3).

There is no way to stop a bootable CD. This is above the init level, above
the kernel level, and above the bootloader (lilo/grub) level. You can try to
disable this option from the BIOS, but even that is easy to work around.

-- 
Infinite complexity begets infinite beauty.
Infinite precision begets infinite perfection.

Re: linuxsingle

[Thornton Prime]

> On Sun, Apr 10, 2005 at 05:20:36AM +0100, Ankit Jain wrote:
> ifanybody can tell me how to make changes in linux so
> that a person cannot move to linux single mode in any
> condition . not even from bootable CD

Depending on your PC you can:

1. Set the BIOS to boot only to HD.
2. Set a BIOS password to make sure no one changes your boot preferences.

With those taken care of you can:

3. Set a password on your bootloader.

No one should be able to boot from CD or change the bootloader options
without the BIOS and/or bootloader passwords. Please keep in mind that
there are plenty of ways to circumvent these measures if anyone has
physical access to the machine (reset your bios, replace your drives,
etc.). Linux is no more or less susceptible to these issues than other
platforms.

Actually, in many ways Linux on good PC hardware is safer than other
Unix platforms. On many platforms you can boot an arbitrary kernel on
an arbitrary device if you have access to the physical console. Many
of those platforms have no BIOS restrictions or bootloader security.
Some of those platforms may have the init path hardcoded or may have
single user prompt for a password, but these are really of minimal
security if you can boot an arbitary kernel on an arbitrary device,
especially if that device is the network!

thornton

Re: linuxsingle

[chuck gelm]

Ankit Jain wrote:
> ifanybody can tell me how to make changes in linux so
> that a person cannot move to linux single mode in any
> condition . not even from bootable CD
> 
> thanks
> 
> ankit

  Dear Ankit:

  It is no longer a 'Linux' issue if you cannot protect
your computer/workstation/server from physical access.
This is a hardware issue, especially a motherboard issue.
Many motherboards can be booted from harddisk, floppy,
CD-ROM, USB, Network,...

  IMHO, this is not a linux issue.

HTH, Chuck

Re: linuxsingle

[Michael H. Warfield]

[-- Attachment #1: Type: text/plain, Size: 1881 bytes --]

On Sun, 2005-04-10 at 05:20 +0100, Ankit Jain wrote:
> ifanybody can tell me how to make changes in linux so
> that a person cannot move to linux single mode in any
> condition . not even from bootable CD

	Encrypt the hard drive including the root file system.  There are
several How-To's out there on encrypted root file systems and encrypted
swap (DON'T FORGET TO ENCRYPT YOUR SWAP!)  Burn a bootable CD-Rom with
your boot system.  Store the key to your file systems on a USB key which
you remove after booting.  [Alternative, on systems which can boot from
USB, burn it all to the USB key.]  Now, nobody can simply reboot your PC
for any reason without having that USB key.  At least, if they boot it
off a bootable CD, they still can't read the hard drive.  Then you just
have to make sure they can't log into the running system or switch to S
from a running system.

	You still need to worry about stuff like hardware keyloggers and other
nasty hardware stuff that people MIGHT install if they think you're
being cheeky with all this stuff.  You might tempt someone to show you
up.  :-)

> thanks

> ankit

	Mike

> ________________________________________________________________________
> Yahoo! Messenger - Communicate instantly..."Ping" 
> your friends today! Download Messenger Now 
> http://uk.messenger.yahoo.com/download/index.html
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: linuxsingle

[terry white]

... ciao:

on "4-13-2005" "Michael H. Warfield" writ:

: Burn a bootable CD-Rom with your boot system.

    it is a 'real' mistake to "assume" cd-r media a forever storage
solution.  a search for 'sunlight' at "theregister.com" offered among
other answers, the following:

     "CD-Rs deliver degrading experience

        Back to tape?Monday 1st September 2003 20:32 GMT"

    the jist of it, suggest that cd-r media not a carefree solution ...


-- 
... i'm a man, but i can change,
    if i have to , i guess ...

Re: linuxsingle

[Michael H. Warfield]

[-- Attachment #1: Type: text/plain, Size: 1465 bytes --]

On Thu, 2005-04-14 at 07:25 -0700, terry white wrote:
> ... ciao:

> on "4-13-2005" "Michael H. Warfield" writ:

> : Burn a bootable CD-Rom with your boot system.

>     it is a 'real' mistake to "assume" cd-r media a forever storage
> solution.  a search for 'sunlight' at "theregister.com" offered among
> other answers, the following:

>      "CD-Rs deliver degrading experience

>         Back to tape?Monday 1st September 2003 20:32 GMT"

>     the jist of it, suggest that cd-r media not a carefree solution ...

	Didn't claim that it was.  Neither are flash drives (limited rewrite
cycles, thousands, but still limited) or regular hard drives (just got
done recovering after several 250 Gig SATA drives developed flaws and
went dain bramaged on me).

	It wouldn't be a bad idea to keep a backup of that boot system but it
should be so generic that it should be possible to reproduce.  But the
"key" is the key!  Loose that, and you are toast.  So, yes, you should
have a backup of the USB key or where ever you store that key (you can
also use an entered passphrase) and then protect those backups,
especially of the keys.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: linuxsingle

[terry white]

... ciao:

on "4-14-2005" "Michael H. Warfield" writ:

:    On Thu, 2005-04-14 at 07:25 -0700, terry white wrote:
: >      "CD-Rs deliver degrading experience

: 	Didn't claim that it was.  Neither are flash drives ---

   the number of things you did not "claim" is limited only, by the
reader's knowledge set.  so, that is not a consideration here.

    what is, is "knowing" cd-r media has a finite shelf life after
being written.  i "did not" assume the entire readership aware
of that limitation, so thought its mention a good idea ...


-- 
... i'm a man, but i can change,
    if i have to , i guess ...

Re: linuxsingle

[markus reichelt]

[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]

terry white <twhite@aniota.com> wrote:
> on "4-14-2005" "Michael H. Warfield" writ:
> 
> :    On Thu, 2005-04-14 at 07:25 -0700, terry white wrote:
> : >      "CD-Rs deliver degrading experience
> 
> : 	Didn't claim that it was.  Neither are flash drives ---
> 
>    the number of things you did not "claim" is limited only, by the
> reader's knowledge set.  so, that is not a consideration here.

I was going to mention the use of hard encryption as well (loop-aes,
not the kernel stuff; maybe a most recent kernel with dm-crypt).
Still, the implemented encryption schemes completely lack the ability
to check for tampering. That might backfire, but the chances for that
are pretty slim; nevertheless, that possibility exists. 

So instead of safe-guarding the machine at all times (by whatever
means), I guess encryption is the best shot.


>     what is, is "knowing" cd-r media has a finite shelf life after
> being written.  i "did not" assume the entire readership aware
> of that limitation, so thought its mention a good idea ...

True to mention, not only for very sensitive data like encryption
keys. Having had some nightmares because of faulty backup media, let
me stress that one just can't be paranoid enough when it comes to
backups.

-- 
Bastard Administrator in $hell


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]