RH7.2: init 1 no password?

RH7.2: init 1 no password?

[David Jackson]

I would hope this issue has been raised before?
But when I bring by Redhat7.2 box down to single user mode (shutdown or init 1) it puts me a
root shell without asking for a password? Which
seems likes a bit of a security problem to me?

Can I change this situation? Does anyone of anyother
Unix flavor that does this?

TIA,
David
 
 
Summary | Next
Reply | Reply All | Forward | Delete
  Move to >>  Goto Top 
 

Re: RH7.2: init 1 no password?

[Glynn Clements]

David Jackson wrote:

> I would hope this issue has been raised before?
> 
> But when I bring by Redhat7.2 box down to single user mode (shutdown
> or init 1) it puts me a root shell without asking for a password? 
> Which seems likes a bit of a security problem to me?

Why? The root shell is only accessible from the console. Anyone who
has physical access to the machine can probably do whatever they want
with it; software security mechanisms aren't much use in that
situation.

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: RH7.2: init 1 no password?

[David Jackson]

Glynn --
Thanks for you reply
In my experience working in datacenters, anyone includes janitors, and
and $10.00 secruity guards, it still doesn't explain why RedHat has this 
behavior, can you think of another Unix flavor that does this?
Solaris, Slackware and Debain don't?

Thanks again for reply,
David

>
>Why? The root shell is only accessible from the console. Anyone who
>has physical access to the machine can probably do whatever they want
>with it; software security mechanisms aren't much use in that
>situation.

Re: RH7.2: init 1 no password?

[1stFlight]

Actually this is a good point, anyone know of a way to secure init 1 ?


Darryl

David Jackson wrote:

> Glynn --
> Thanks for you reply
> In my experience working in datacenters, anyone includes janitors, and
> and $10.00 secruity guards, it still doesn't explain why RedHat has this
> behavior, can you think of another Unix flavor that does this?
> Solaris, Slackware and Debain don't?
>
> Thanks again for reply,
> David
>
> >
> >Why? The root shell is only accessible from the console. Anyone who
> >has physical access to the machine can probably do whatever they want
> >with it; software security mechanisms aren't much use in that
> >situation.
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
  It's not that life is so short, it's that death is so long...

Re: RH7.2: init 1 no password?

[David Eduardo Gomez Noguera]

I dont want to ask who's the stupid root user (sorry about "user") that
does that.
But the temptation is just too much.

In any way, you could just add an entry in inittab for runlevel one, or
disabling it.
Also, as far as i know, changing runlevel doesnt closses sessions.
(maybe thats the problem).

btw, if you have used slackware and/or debian, either:

1. stick with it.
2. it is evident it can be done. check what do they do on the init
scripts.

If you just wrote this mail to say "redhat is insecure!", "stop using
redhat", or whatever with feelings to start a flame war, forget it
(except for this silly mail of mine ;) ). I'm not wrinting more on this.
(unless i think it necessary).

On Sun, 2002-05-19 at 14:55, David Jackson wrote:
> David --
> Thanks for your reply.
> If you logged in as root and type init 1, or shutdown now.
> The system goes directly to single user mode with no password.
> Completely bypassing lilo or any other bootloader?
> I've never seen that on any other Unix system (Debian, Slackware or Solaris)?
> 
> Thanks,
> David
> 
> >you can set a password (different from the root password) to be asked in
> >single user mode (before loading the kernel) if you are using lilo.
> >Dont know how to do it with other boot loaders though.
-- 
ICQ: 15605359 Bicho
                                  =^..^=
First, they ignore you. Then they laugh at you. Then they fight you.
Then you win. Mahatma Gandhi.
-------------------------------気検体の一致------------------------------------
暑さ寒さも彼岸まで。
恋にししょうなし。恋はしあんの他。
アン アン アン とっても大好き

Re: RH7.2: init 1 no password?

[Anatoli Souppes]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 19 May 2002 21:58 pm, 1stFlight wrote:
> Actually this is a good point, anyone know of a way to secure init 1 ?
>
>
> Darryl
>
> David Jackson wrote:
> > Glynn --
> > Thanks for you reply
> > In my experience working in datacenters, anyone includes janitors, and
> > and $10.00 secruity guards, it still doesn't explain why RedHat has this
> > behavior, can you think of another Unix flavor that does this?
> > Solaris, Slackware and Debain don't?
> >
> > Thanks again for reply,
> > David
> >
> > >Why? The root shell is only accessible from the console. Anyone who
> > >has physical access to the machine can probably do whatever they want
> > >with it; software security mechanisms aren't much use in that
> > >situation.
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html

just edit inittab and under the line which reads 
id:3:initdefault:
insert this
~~:S:wait:/sbin/sulogin
this will ask you to login


- -- 
- --This is Linux Country.  On a quiet night, you can hear Windows reboot.

- --------------------------------------------------------------------------------------------------------
Anatoli Souppes		anatoli.souppes@financity.co.uk
Financity Ltd.,		Tel: 01483 29 5015
Guildford UK		Fax: 01483 29 5016
- --------------------------------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE86LLJ+6oHupCsKzYRAtXMAJ93uhiz4murPBhT+D9FStMz+xXJAQCeKuNH
eNuMi2ZJqznHcfzXoBuMv1w=
=UhNc
-----END PGP SIGNATURE-----

Re: RH7.2: init 1 no password?

[Scott Taylor]

At 12:35 PM 19/05/2002, you wrote:
>I would hope this issue has been raised before?
>But when I bring by Redhat7.2 box down to single user mode (shutdown or 
>init 1) it puts me a
>root shell without asking for a password? Which
>seems likes a bit of a security problem to me?

Please don't tell me RH allows normal users to use shutdown or init 
commands.  If that is the case, fix it, simple permissions will do the job.

>Can I change this situation?

Of course you can, with *nix you control the system.

Re: RH7.2: init 1 no password?

[Scott Taylor]

At 01:16 PM 19/05/2002, David Jackson wrote:
>Glynn --
>Thanks for you reply
>In my experience working in datacenters, anyone includes janitors, and
>and $10.00 secruity guards, it still doesn't explain why RedHat has this
>behavior, can you think of another Unix flavor that does this?
>Solaris, Slackware and Debain don't?

You top post doesn't make any sense.

What Glynn says is true, you don't need access to init 1 or shutdown or 
even root permissions to access any machine if you have access to the 
consol.  If your security and janitors have access to it, you better make 
sure you can trust them.  I don't know why anyone paying security $10.00 
would trust them with the key to the servers.

Re: RH7.2: init 1 no password?

[Scott Taylor]

At 01:58 PM 19/05/2002, you wrote:
>Actually this is a good point, anyone know of a way to secure init 1 ?

the same way you secure any executable.

Re: RH7.2: init 1 no password?

[David Jackson]

Scott --
First --  I   have a lot of respect for Glynn options, but I think the responses to this question ignores basic secruity concerns. And doesn't explain why Redhat goes against basic secruity practice?

Second --
What that extra login does is force you stop, and think before taking an action. As the old saying
goes," An ounce of prevention is worth a pound of cure". In a 24x7 datacenter with 300+ servers and it's me and 2 other admins, and it's 03:00AM on Sunday, and backup are crashing left and right, 
and it's the end of what's been a long week.

That "Maintence Mode" message and prompt, could
be enough to remind me that Glynn is dailing in
from home and working on that box, or even worse
keep me from waking Glynn up at 03:00 to tell
him what he already knows.

Finaly, my question comes from 4 years of Solaris
experience support datacenter for clients including
Sun Microsystems, in the US.


David



 



 
>
>What Glynn says is true, you don't need access to init 1 or shutdown or 
>even root permissions to access any machine if you have access to the 
>consol.  If your security and janitors have access to it, you better make 
>sure you can trust them.  I don't know why anyone paying security $10.00 
>would trust them with the key to the servers.
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: RH7.2: init 1 no password?

[Glynn Clements]

David Jackson wrote:

> First -- I have a lot of respect for Glynn options, but I think the
> responses to this question ignores basic secruity concerns. And
> doesn't explain why Redhat goes against basic secruity practice?

Bear in mind that we are discussing the behaviour of runlevel 1. In
this situation, there is no networking. Some consequences of this:

1. There is no telnet/rsh/ssh access; the box is unusable unless
someone is sat in front of it. You just don't do "init 1" unless you
are at the console.

2. If your authentication is networked (NIS, Kerberos, others?), an
authenticated login may not be possible (although the "sulogin"
documentation does say that it will skip authentication if it can't
determine the root password; maybe this is what's actually hapenning? 
Maybe sulogin is PAM-ified, and something in PAM fails due to the lack
of networking?)

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: RH7.2: init 1 no password?

[David Jackson]

Glynn --
This leads to the question of "console" servers for linux? Using Sun's Data Center (CO,US) which had over 300+ servers, I was able get console access
by telneting into a specific port on a console server, assigned to a specific server, and watch
the system reboot, halt the system or whatever needed to be done.

The question is what would be involved with creating
a Linux console server? 


>Bear in mind that we are discussing the behaviour of runlevel 1. In
>this situation, there is no networking. Some consequences of this:

As always thanks for your imput,
David

Re: RH7.2: init 1 no password?

[Glynn Clements]

David Jackson wrote:

> This leads to the question of "console" servers for linux? Using
> Sun's Data Center (CO,US) which had over 300+ servers, I was able
> get console access by telneting into a specific port on a console
> server, assigned to a specific server, and watch the system reboot,
> halt the system or whatever needed to be done.

> The question is what would be involved with creating
> a Linux console server? 

Well, you could configure the individual servers to use a serial
console (CONFIG_SERIAL_CONSOLE), and connect them (via RS-232 cables)
to a box with a load of multiport serial cards and telnetd/sshd (or,
alternatively, a dedicated terminal concentrator).

-- 
Glynn Clements <glynn.clements@virgin.net>