root password

root password

[Ankit Jain]

hi

i have forgotten my root pasword. i had installed
redhat linux 9.0 kernel version 2.4 with grub loader.
if somebody can tell me how to change the password
without logging.

thanks

ankit


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: root password

[Ray Olszewski]

At 11:16 PM 3/29/2005 -0800, Ankit Jain wrote:
>hi
>
>i have forgotten my root pasword. i had installed
>redhat linux 9.0 kernel version 2.4 with grub loader.
>if somebody can tell me how to change the password
>without logging.


The normal solution to this sort of problem is to boot the system using a 
rescue disk (floppy or CD, depending on your hardware); mount the 
filesystem with the password problem at some convenient mount point; and 
delete the root password entry from /etc/shadow . Then reboot normally, log 
in as root (with no password) and set a new root password. Do all of this 
with the system disconnected from the Internet, of course, until you have a 
new root password in place.

Any other suggestion of how to become root without knowing the root 
password is a technique for breaking into systems, and I (and I hope 
everyone else) will not give advice on that publicly, in this forum or 
anywhere else.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: root password

[Tobias Hirning]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

Hi Ray!
> [...]
> Any other suggestion of how to become root without knowing the root
> password is a technique for breaking into systems, and I (and I
> hope everyone else) will not give advice on that publicly, in this
> forum or anywhere else.
Why shouldn't we know how the bad can break into our systems?
I think it's always better to know exactly how they do it.
Tobias

-- 
GPG-Fingerprint: C39E 5381 7721 8613 B5C9  CFAF 54FC B8DB D02D 7085
Registered Linux-User #367044
Registered Linux-Machine #262062
9x6=42
Diese E-Mail wurde mit einer fortgeschrittenen elektronischen
Signatur nach §2 2. d) SigG signiert.


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: root password

[Eric Bambach]

On Friday 01 April 2005 10:23 am, Tobias Hirning wrote:
> Hi Ray!
>
> > [...]
> > Any other suggestion of how to become root without knowing the root
> > password is a technique for breaking into systems, and I (and I
> > hope everyone else) will not give advice on that publicly, in this
> > forum or anywhere else.
>
> Why shouldn't we know how the bad can break into our systems?
> I think it's always better to know exactly how they do it.
> Tobias

Kernel parameter line init=/bin/(ba)sh (most effective IMO)
Boot cd/disk/ etc.
Physically removing the hard drive
Get the shadow file and crack
Overwrite the shadow file with an exploit
Sniff the password from telnet/unsecure services

...And many more, these just came off the top of my head.

-- 
----------------------------------------
--EB

> All is fine except that I can reliably "oops" it simply by trying to read
> from /proc/apm (e.g. cat /proc/apm).
> oops output and ksymoops-2.3.4 output is attached.
> Is there anything else I can contribute?

The latitude and longtitude of the bios writers current position, and
a ballistic missile.

                --Alan Cox LKML-December 08,2000 

----------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: root password

[Tobias Hirning]

[-- Attachment #1: Type: text/plain, Size: 602 bytes --]

Hi Ray!
On Friday, 1. April 2005 18:52 Ray wrote:
>> [...]
> [..]
> Get the shadow file and crack
Yeah, I've done this on a big system and about 90% of the users used 
weak passwords.
> [...]
> Sniff the password from telnet/unsecure services
Who is still using telnet? I wouldn't use telnet on a secure net 
either.
Tobias

-- 
GPG-Fingerprint: C39E 5381 7721 8613 B5C9  CFAF 54FC B8DB D02D 7085
Registered Linux-User #367044
Registered Linux-Machine #262062
http://counter.li.org
Diese E-Mail wurde mit einer fortgeschrittenen elektronischen
Signatur nach §2 2. d) SigG signiert.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: root password

[Ray Olszewski]

At 08:03 PM 4/1/2005 +0200, Tobias Hirning wrote:
>Hi Ray!
>On Friday, 1. April 2005 18:52 Ray wrote:
> >> [...]
> > [..]
> > Get the shadow file and crack
>Yeah, I've done this on a big system and about 90% of the users used
>weak passwords.
> > [...]
> > Sniff the password from telnet/unsecure services
>Who is still using telnet? I wouldn't use telnet on a secure net
>either.
>Tobias

I don't, from these fragments, recognize what message you are replying to, 
Tobias. But your quoting makes it appear that the two suggestions you 
respond to are mine, and I just wanted to make it clear that they are not. 
Neither would have been responsive to the message that started this thread 
... a user who forgot his own root password looking for a workaround.

In a modern setting, neither of these suggestions is very useful ... only 
amazingly insecure systems would be vulnerable to either approach.

"Get the shadow file" is not a trivial step in the instructions (How to 
travel in time: 1. Purchase or construct a flux capacitor; 2. Install it in 
a DeLorean); normally it requires root access.  So anyone who can get this 
file has already figured out how to get root access, at least in a limited 
way. I am a bit surprised at your 90% claim; when I've done this (in my 
onetime role as a sysadmin), I found maybe 3-5% of users had weak passwords 
(by the standards of the cracking software of the time).

And while telnet continues to have very limited, specialized uses (for some 
embedded systems, it is the only service available), you are right that no 
host that pretends to be even minimally secure should be running a telnet 
daemon.


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: root password

[Tobias Hirning]

[-- Attachment #1: Type: text/plain, Size: 1531 bytes --]

Am Samstag, 2. April 2005 20:53 schrieben Sie:
> At 08:03 PM 4/1/2005 +0200, Tobias Hirning wrote:
>> [...]
>
> I don't, from these fragments, recognize what message you are
> replying to, Tobias.
Sorry about that, yes I was replying to your mail.

> But your quoting makes it appear that the two 
> suggestions you respond to are mine, and I just wanted to make it
> clear that they are not. Neither would have been responsive to the
> message that started this thread ... a user who forgot his own root
> password looking for a workaround.
I don't want to start such a big thread.
> [...]
> "Get the shadow file" is not a trivial step in the instructions
> (How to travel in time: 1. Purchase or construct a flux capacitor;
> 2. Install it in a DeLorean); normally it requires root access.  So
> anyone who can get this file has already figured out how to get
> root access, at least in a limited way. I am a bit surprised at
> your 90% claim; when I've done this (in my onetime role as a
> sysadmin), I found maybe 3-5% of users had weak passwords (by the
> standards of the cracking software of the time).
Yes, I don't told, that it was the shadow file of a school, with only 
8 character passwords and DES-encryption.
> [...]
Tobias

-- 
GPG-Fingerprint: C39E 5381 7721 8613 B5C9  CFAF 54FC B8DB D02D 7085
Registered Linux-User #367044
Registered Linux-Machine #262062
http://counter.li.org
Diese E-Mail wurde mit einer fortgeschrittenen elektronischen
Signatur nach §2 2. d) SigG signiert.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: root password

[Eric Bambach]

On Wednesday 30 March 2005 08:36 am, Ray Olszewski wrote:
> Any other suggestion of how to become root without knowing the root
> password is a technique for breaking into systems, and I (and I hope
> everyone else) will not give advice on that publicly, in this forum or
> anywhere else.

I respectfully disagree. How will sysadmins ever know how to secure their 
systems unless they know HOW break-ins occur. Certainly most hacking doesnt 
come from boot CDs but having a more informed sysadmin is infinitely better 
than one that only discovers how to make their system more secure *AFTER* 
being broken into.

What you are saying is that security through obscurity is good and there have 
been countless rebuttals on just how horrible security though obscurity is in 
99% of the situations. The only reason for S.T.O. is a company that found an 
exploit and is giving lead-time to the vendor to patch their vulnerable 
software.

-- 
----------------------------------------
--EB

> All is fine except that I can reliably "oops" it simply by trying to read
> from /proc/apm (e.g. cat /proc/apm).
> oops output and ksymoops-2.3.4 output is attached.
> Is there anything else I can contribute?

The latitude and longtitude of the bios writers current position, and
a ballistic missile.

                --Alan Cox LKML-December 08,2000 

----------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: root password

[Ray Olszewski]

At 10:55 AM 4/1/2005 -0600, Eric Bambach wrote:
>On Wednesday 30 March 2005 08:36 am, Ray Olszewski wrote:
> > Any other suggestion of how to become root without knowing the root
> > password is a technique for breaking into systems, and I (and I hope
> > everyone else) will not give advice on that publicly, in this forum or
> > anywhere else.
>
>I respectfully disagree. How will sysadmins ever know how to secure their
>systems unless they know HOW break-ins occur. Certainly most hacking doesnt
>come from boot CDs but having a more informed sysadmin is infinitely better
>than one that only discovers how to make their system more secure *AFTER*
>being broken into.
>
>What you are saying is that security through obscurity is good and there have
>been countless rebuttals on just how horrible security though obscurity is in
>99% of the situations. The only reason for S.T.O. is a company that found an
>exploit and is giving lead-time to the vendor to patch their vulnerable
>software.

I wasn't quite saying that, and I apologize if my abbreviated presentation 
led you down that path. My reluctance was specific to this context, in 
which someone was asking not how to secure a system, but how to become root 
without knowing the root password. That it was his own system he wanted to 
break into certainly is relevant, but, on a public list, it is not the only 
consideration.

I do believe that sysadmins need to know how to secure thair systems. There 
are plenty of sites on the Internet, and books and articles in print, that 
offer this sort of help. And one can learn how to secure systems without 
receiving detailed tutorials in how to exploit common holes (buffer 
overflows, overprivileged daemons, weak passwords, and so on).

But I also believe that giving step-by-step instructions for how to break 
into systems, on a list intended for beginners, is not the best way to make 
this information public. That sort of help is a bit more than fighting 
"security through obscurity" by identifying vulnerabilities, in my opinion 
... it amounts to tutoring crackers, something I personally do not care to 
do. Particularly in the context of the actual question, which involved a 
system that the poster (presumably) had physical access to, so could retake 
control of with a rescue disk.

If you (and Tobias, and anyone else) feel differently, then you should act 
on your beliefs and provide this sort of information on request, I suppose. 
So I do apologize for the suggestion that my personal view here should 
restrict what you and others do. Please feel free to provide any 
information of this sort that you have, and be sure I will not criticize 
you for doing so.


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: root password

[J.]

On Fri, 1 Apr 2005, Ray Olszewski wrote:

> At 10:55 AM 4/1/2005 -0600, Eric Bambach wrote:
> >On Wednesday 30 March 2005 08:36 am, Ray Olszewski wrote:
> > > Any other suggestion of how to become root without knowing the root
> > > password is a technique for breaking into systems, and I (and I hope
> > > everyone else) will not give advice on that publicly, in this forum or
> > > anywhere else.
> >
> >I respectfully disagree. How will sysadmins ever know how to secure their
> >systems unless they know HOW break-ins occur. Certainly most hacking doesnt
> >come from boot CDs but having a more informed sysadmin is infinitely better
> >than one that only discovers how to make their system more secure *AFTER*
> >being broken into.
> >
> >What you are saying is that security through obscurity is good and there have
> >been countless rebuttals on just how horrible security though obscurity is in
> >99% of the situations. The only reason for S.T.O. is a company that found an
> >exploit and is giving lead-time to the vendor to patch their vulnerable
> >software.
> 
> I wasn't quite saying that, and I apologize if my abbreviated presentation 
> led you down that path. My reluctance was specific to this context, in 
> which someone was asking not how to secure a system, but how to become root 
> without knowing the root password. That it was his own system he wanted to 
> break into certainly is relevant, but, on a public list, it is not the only 
> consideration.
> 
> I do believe that sysadmins need to know how to secure thair systems. There 
> are plenty of sites on the Internet, and books and articles in print, that 
> offer this sort of help. And one can learn how to secure systems without 
> receiving detailed tutorials in how to exploit common holes (buffer 
> overflows, overprivileged daemons, weak passwords, and so on).
> 
> But I also believe that giving step-by-step instructions for how to break 
> into systems, on a list intended for beginners, is not the best way to make 
> this information public. That sort of help is a bit more than fighting 
> "security through obscurity" by identifying vulnerabilities, in my opinion 
> ... it amounts to tutoring crackers, something I personally do not care to 
> do. Particularly in the context of the actual question, which involved a 
> system that the poster (presumably) had physical access to, so could retake 
> control of with a rescue disk.
> 
> If you (and Tobias, and anyone else) feel differently, then you should act 
> on your beliefs and provide this sort of information on request, I suppose. 
> So I do apologize for the suggestion that my personal view here should 
> restrict what you and others do. Please feel free to provide any 
> information of this sort that you have, and be sure I will not criticize 
> you for doing so.

If anyone can break into `A', `Your', `Someone's' OS, by following only a
few steps with ease - The World should know. 

Since it is only then that Users are able to define quality.

J.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: root password

[Peter]

On Fri, 2005-04-01 at 10:23 -0800, Ray Olszewski wrote:

(snipped)
> 
> If you (and Tobias, and anyone else) feel differently, then you should
> act 
> on your beliefs and provide this sort of information on request, I
> suppose. 
> So I do apologize for the suggestion that my personal view here
> should 
> restrict what you and others do. Please feel free to provide any 
> information of this sort that you have, and be sure I will not
> criticize 
> you for doing so.

Ray,

I just want to say that over the two years I have been subscribed to
this list, I have learnt a great deal from you, both about Linux, and
about integrity and attention to detail. Your contributions have always
been considered, thorough, to the point and helpful.

We have all, I think, learnt much about how to trouble-shoot our
problems, just from reading the way you go about it.

I personally feel that your response in this case is a model of respect
and openness, and thoroughly in keeping with what I think are the best
traditions of free and open-source software. 

Most of us, I hope, can see both sides of this issue.

Thank you for your continuing contribution to the list. I don't often
see acknowledgements of this kind on lists, but I think this one is
deserved.

Sincerely, 

Peter Garrett

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re[2]: root password *reset root password with grub*

[Kev]

> 
> Ankit Jain wrote:
> 
> > i have forgotten my root pasword. i had installed
> > redhat linux 9.0 kernel version 2.4 with grub loader.
> > if somebody can tell me how to change the password
> > without logging.
> 

first you have to boot the computer in single user mode, with single
user mode you dont need to root password.

To get into single user mode from GRUB, highlight the linux operating system you want to boot.
After the line is highlighted, press 'e'. 'e' will get you into the GRUB
editor. Next, highlight the line that begins with "kernel" and press 'e'
again. 'e' the second time will allow you to edit the "kernel" line. Add
the word "single" to the end of the line, "single" will tell the kernel
to boot into single user mode. After adding the word "single", press
"Enter" and then 'b' to boot the operating system.

one you got in to the single user mode, type passwd and change the root
password.

To leave single user mode, there are a number of possibilities, 
you can always execute a "shutdown" or "reboot" command, or you can
simply type "exit". When you type "exit", you will leave single user
mode and the operating system will continue to boot normally.


Kev.........
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Re[2]: root password *reset root password with grub*

[joy merwin monteiro]

Hi,

My Debian System asks for a password even in single mode...
Your solutino would probably work on RH and variants....
Which is OK in this case, but in case somesone needs to know...

Joy

On Apr 3, 2005 8:34 AM, Kev <savage-garden@hanikamail.com> wrote:
> 
> >
> > Ankit Jain wrote:
> >
> > > i have forgotten my root pasword. i had installed
> > > redhat linux 9.0 kernel version 2.4 with grub loader.
> > > if somebody can tell me how to change the password
> > > without logging.
> >
> 
> first you have to boot the computer in single user mode, with single
> user mode you dont need to root password.
> 
> To get into single user mode from GRUB, highlight the linux operating system you want to boot.
> After the line is highlighted, press 'e'. 'e' will get you into the GRUB
> editor. Next, highlight the line that begins with "kernel" and press 'e'
> again. 'e' the second time will allow you to edit the "kernel" line. Add
> the word "single" to the end of the line, "single" will tell the kernel
> to boot into single user mode. After adding the word "single", press
> "Enter" and then 'b' to boot the operating system.
> 
> one you got in to the single user mode, type passwd and change the root
> password.
> 
> To leave single user mode, there are a number of possibilities,
> you can always execute a "shutdown" or "reboot" command, or you can
> simply type "exit". When you type "exit", you will leave single user
> mode and the operating system will continue to boot normally.
> 
> 
> Kev.........
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
> 


-- 
people always turn away,
from the eyes of a stranger...
Afraid to know
what lies behind the stare.......
    --QueensRyche
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Re[2]: root password *reset root password with grub*

[Glynn Clements]

joy merwin monteiro wrote:

> My Debian System asks for a password even in single mode...
> Your solutino would probably work on RH and variants....
> Which is OK in this case, but in case somesone needs to know...

That's why I suggested using "init=/bin/sh". That will never ask for a
password.

-- 
Glynn Clements <glynn@gclements.plus.com>
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: root password

[Ankit Jain]

Thanks a lot for help.

i started the question not to hack any system but i
was curious to know that in linux its easy to change
the root passwd

in this case the authenticity is a problem. still it
can be changed by a boot CD even i think so u have
apasswd for boot loader. so in this case what should
be done? and also is there any other flaws which are
openly known i am not intrested to destruct any system
but want to know which is already known to ppl that if
root passwd can be changed any other way also?

thanks to all for helping me out

regards,

ankit
--- Ray Olszewski <ray@comarre.com> wrote:
> At 10:55 AM 4/1/2005 -0600, Eric Bambach wrote:
> >On Wednesday 30 March 2005 08:36 am, Ray Olszewski
> wrote:
> > > Any other suggestion of how to become root
> without knowing the root
> > > password is a technique for breaking into
> systems, and I (and I hope
> > > everyone else) will not give advice on that
> publicly, in this forum or
> > > anywhere else.
> >
> >I respectfully disagree. How will sysadmins ever
> know how to secure their
> >systems unless they know HOW break-ins occur.
> Certainly most hacking doesnt
> >come from boot CDs but having a more informed
> sysadmin is infinitely better
> >than one that only discovers how to make their
> system more secure *AFTER*
> >being broken into.
> >
> >What you are saying is that security through
> obscurity is good and there have
> >been countless rebuttals on just how horrible
> security though obscurity is in
> >99% of the situations. The only reason for S.T.O.
> is a company that found an
> >exploit and is giving lead-time to the vendor to
> patch their vulnerable
> >software.
> 
> I wasn't quite saying that, and I apologize if my
> abbreviated presentation 
> led you down that path. My reluctance was specific
> to this context, in 
> which someone was asking not how to secure a system,
> but how to become root 
> without knowing the root password. That it was his
> own system he wanted to 
> break into certainly is relevant, but, on a public
> list, it is not the only 
> consideration.
> 
> I do believe that sysadmins need to know how to
> secure thair systems. There 
> are plenty of sites on the Internet, and books and
> articles in print, that 
> offer this sort of help. And one can learn how to
> secure systems without 
> receiving detailed tutorials in how to exploit
> common holes (buffer 
> overflows, overprivileged daemons, weak passwords,
> and so on).
> 
> But I also believe that giving step-by-step
> instructions for how to break 
> into systems, on a list intended for beginners, is
> not the best way to make 
> this information public. That sort of help is a bit
> more than fighting 
> "security through obscurity" by identifying
> vulnerabilities, in my opinion 
> ... it amounts to tutoring crackers, something I
> personally do not care to 
> do. Particularly in the context of the actual
> question, which involved a 
> system that the poster (presumably) had physical
> access to, so could retake 
> control of with a rescue disk.
> 
> If you (and Tobias, and anyone else) feel
> differently, then you should act 
> on your beliefs and provide this sort of information
> on request, I suppose. 
> So I do apologize for the suggestion that my
> personal view here should 
> restrict what you and others do. Please feel free to
> provide any 
> information of this sort that you have, and be sure
> I will not criticize 
> you for doing so.
> 
> 
> -
> To unsubscribe from this list: send the line
> "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at 
> http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at
> http://www.linux-learn.org/faqs
> 


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Personals - Better first dates. More second dates. 
http://personals.yahoo.com

Re: root password

[Jim C. Brown]

On Sat, Apr 02, 2005 at 08:39:40PM -0800, Ankit Jain wrote:
> in this case the authenticity is a problem. still it
> can be changed by a boot CD even i think so u have
> apasswd for boot loader. so in this case what should
> be done?

Password on the bootloader will only stop those who are trying to get into
single user mode. In most cases, a boot CD will be loaded before the hard disk
is checked for a bootloader, and in that case the password protection would
be effectively bypassed.

If your bios supports it, you can turn on a CMOS password ... this is asked
the moment you turn your computer on from a cold boot, and must be entered
correctly before the bios will load any boot media (such as CDs, hard disks,
floppy disks, etc). However it is fairly easy to read the CMOS password on a
running system, and it can be erased by resetting the CMOS chip's battery.
So a determined person (such as a computer thief) will be able to bypass all 3
password protections.

There is the additional factor of password protecting your file systems (by
means of encryption) but this is not a trival undertaking (there is no single
'what command do i type' to do this, and unless this is a fresh install or you
have fresh backups there is the possibility of losing all your data in the
conversion if something goes wrong). And it only protects your data from being
read, a thief could still bypass CMOS password and load up bootCD to erase
everything on your disk.

> and also is there any other flaws which are
> openly known i am not intrested to destruct any system
> but want to know which is already known to ppl that if
> root passwd can be changed any other way also?
> 
> thanks to all for helping me out

I would recommend looking at linuxsecurity.com or the security advisorys on
linux.com

> 
> regards,
> 
> ankit
> --- Ray Olszewski <ray@comarre.com> wrote:
> > At 10:55 AM 4/1/2005 -0600, Eric Bambach wrote:
> > >On Wednesday 30 March 2005 08:36 am, Ray Olszewski
> > wrote:
> > > > Any other suggestion of how to become root
> > without knowing the root
> > > > password is a technique for breaking into
> > systems, and I (and I hope
> > > > everyone else) will not give advice on that
> > publicly, in this forum or
> > > > anywhere else.
> > >
> > >I respectfully disagree. How will sysadmins ever
> > know how to secure their
> > >systems unless they know HOW break-ins occur.
> > Certainly most hacking doesnt
> > >come from boot CDs but having a more informed
> > sysadmin is infinitely better
> > >than one that only discovers how to make their
> > system more secure *AFTER*
> > >being broken into.
> > >
> > >What you are saying is that security through
> > obscurity is good and there have
> > >been countless rebuttals on just how horrible
> > security though obscurity is in
> > >99% of the situations. The only reason for S.T.O.
> > is a company that found an
> > >exploit and is giving lead-time to the vendor to
> > patch their vulnerable
> > >software.
> > 
> > I wasn't quite saying that, and I apologize if my
> > abbreviated presentation 
> > led you down that path. My reluctance was specific
> > to this context, in 
> > which someone was asking not how to secure a system,
> > but how to become root 
> > without knowing the root password. That it was his
> > own system he wanted to 
> > break into certainly is relevant, but, on a public
> > list, it is not the only 
> > consideration.
> > 
> > I do believe that sysadmins need to know how to
> > secure thair systems. There 
> > are plenty of sites on the Internet, and books and
> > articles in print, that 
> > offer this sort of help. And one can learn how to
> > secure systems without 
> > receiving detailed tutorials in how to exploit
> > common holes (buffer 
> > overflows, overprivileged daemons, weak passwords,
> > and so on).
> > 
> > But I also believe that giving step-by-step
> > instructions for how to break 
> > into systems, on a list intended for beginners, is
> > not the best way to make 
> > this information public. That sort of help is a bit
> > more than fighting 
> > "security through obscurity" by identifying
> > vulnerabilities, in my opinion 
> > ... it amounts to tutoring crackers, something I
> > personally do not care to 
> > do. Particularly in the context of the actual
> > question, which involved a 
> > system that the poster (presumably) had physical
> > access to, so could retake 
> > control of with a rescue disk.
> > 
> > If you (and Tobias, and anyone else) feel
> > differently, then you should act 
> > on your beliefs and provide this sort of information
> > on request, I suppose. 
> > So I do apologize for the suggestion that my
> > personal view here should 
> > restrict what you and others do. Please feel free to
> > provide any 
> > information of this sort that you have, and be sure
> > I will not criticize 
> > you for doing so.
> > 
> > 
> > -
> > To unsubscribe from this list: send the line
> > "unsubscribe linux-newbie" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at 
> > http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at
> > http://www.linux-learn.org/faqs
> > 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Personals - Better first dates. More second dates. 
> http://personals.yahoo.com
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
Infinite complexity begets infinite beauty.
Infinite precision begets infinite perfection.

Re: root password

[Grant Coady]

On Sat, 2 Apr 2005 20:39:40 -0800 (PST), Ankit Jain <ankitjain1580@yahoo.com> wrote:

>i started the question not to hack any system but i
>was curious to know that in linux its easy to change
>the root passwd

>in this case the authenticity is a problem. still it
>can be changed by a boot CD even i think so u have
>apasswd for boot loader. so in this case what should
>be done?

Startup password for machine in BIOS, disable boot from 
removable media in BIOS.  The truly paranoid may have an 
encrypted filesystem with say a smart card hold the keys.

>         and also is there any other flaws which are
>openly known i am not intrested to destruct any system
>but want to know which is already known to ppl that if
>root passwd can be changed any other way also?

Not flaws as such -- if there is physical access to 
computer it is not secure.  That's why fileservers live 
in locked machine rooms.  

You see that past a certain point, software security 
cannot help?  But they come close in large systems where 
user data is held on network server -- start the machine 
but cannot access private data until login.

Cheers,
Grant.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: root password

[Glynn Clements]

Ankit Jain wrote:

> i started the question not to hack any system but i
> was curious to know that in linux its easy to change
> the root passwd

It's easy *if* you have physical access to the machine. But in that
situation, you could just remove the hard drive and take it home. Or
install a keystroke logger into the keyboard to capture the root
password.

If an attacker can get physical access to the system, you lose.

-- 
Glynn Clements <glynn@gclements.plus.com>

Re: root password

[Andrew]

Glynn Clements wrote:

>If an attacker can get physical access to the system, you lose.
>
>  
>
This has been amply demonstrated to me by my three-year-old.

Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs