Jump to content
Trio3b

protect root / user passwords

Recommended Posts

Running mdv2008.1 I have hired an assistant to help in the office and have already locked permissions on files/folders I don't want them to have access to but I remembered there is a way to reset root password by entering single user mode at boot and typing passwd. It will then prompt to enter new password and confirm without asking for the old / original password. The likelyhood that this person would go thru the trouble to learn how to do this is slim as they are unfamiliar with Linux but I want to cover all angles.

 

1. Is this correct?

2. How can I prevent other/unauthorized users from doing this?

 

I read up on /etc/passwd and etc/shadow but not sure I'm understanding. Looked into etc/passwd and it lists user IDs and etc/shadow contains the password in encoded or encrypted form but you need root password to view /etc/shadow which is a good thing, but this doesn't seem to address the ability of an unauthorized person from entering single user mode at boot and changing the password using the command passwd.

 

I don't think I need to protect against cracking the root password per se (or maybe I do), but more against someone changing it.

 

Any other security tips appreciated. I don't think I'm ready to encrypt folders and files yet. One thing at a time for me right now.

 

Thanks

Edited by Trio3b

Share this post


Link to post
Share on other sites

If I remember correctly, if you boot single user mode, it will ask you for the maintenance (root) password, or CTRL-D to reboot the system. At least, this is what I think, I've not done it for a while to be 100% sure of it.

Share this post


Link to post
Share on other sites

If I remember correctly, if you boot single user mode, it will ask you for the maintenance (root) password, or CTRL-D to reboot the system. At least, this is what I think, I've not done it for a while to be 100% sure of it.

Unless things have changed if you boot single you are root without giving a password.

Share this post


Link to post
Share on other sites

Unless things have changed if you boot single you are root without giving a password.

If the intruders have access to the computer, they can boot using a Live CD and get access to all files on the HD.

Share this post


Link to post
Share on other sites

The best protection would be to encrypt the file systems and use a BIOS password but in a business environment that would require someone with the passwords to be on site at all times just in case.

Share this post


Link to post
Share on other sites

The best protection would be to encrypt the file systems and use a BIOS password but in a business environment that would require someone with the passwords to be on site at all times just in case.

 

Yes the LiveCD would be a way in but it does require somewhat of a learning curve for the newb and I'm not sure this person would pursue this. I try to make sure that no really sensitive data such as SS# or credit card info is on the PC at all anyway. Just being paranoid I guess. Encryption is definitely an option but as mentioned I'm new to that and want to do it right so I don't know if I have time for that right now.

 

Years ago I did install a minitoggle switch hidden on the back panel of a tower to disconnect power to the CDrom drive to keep the kids from using the drive. I guess I could do that again.

 

The BIOS password option is a good one as well and I have used that in the past, but yes, a business environment requires a certain amount of fluid access to the PC and its files.

 

I think maybe I'll go back to mowing lawns and keeping client info on a pocket notebook like I did as a teen. :P

 

Thanks for the replies.

Edited by Trio3b

Share this post


Link to post
Share on other sites

The best protection would be to encrypt the file systems and use a BIOS password but in a business environment that would require someone with the passwords to be on site at all times just in case.

Root FS can be encrypted using a keyfile, which can either be stored in some network place, or in some USB-stick held by the computer operator. So, this isn't an issue at all. Encryption, while not a bulletproof solution, is still an excellent choice for corporate environments.

I'm talking about kernel-based LUKS/dm-crypt filesystem encryption, but there are other effective solutions as well.

Share this post


Link to post
Share on other sites

What about erasing the single user mode from the boot menu. You could also remove the dvd/cdrom from the boot order in the bios. Password protect the bios so that you can reactivate if you need.

Edited by SilverSurfer60

Share this post


Link to post
Share on other sites

What about erasing the single user mode from the boot menu. You could also remove the dvd/cdrom from the boot order in the bios. Password protect the bios so that you can reactivate if you need.

 

Hmmm . . these sound like viable options. Will give them a go.

 

Thanks

Share this post


Link to post
Share on other sites

@SilverSurfer60 In my ten years of using Mandrake/Mandriva I have never seen an option in grub to boot single user mode.

 

@Trio3b Just remember that if the BIOS is password protected no one came boot the machine without that password short of opening the case and removing the backup battery to clear the BIOS.

Share this post


Link to post
Share on other sites

Sorry I should have been a bit more precise and said the 'mandriva safe mode', which when selected will boot into single user mode. Sorry for the inaccuracy.

Share this post


Link to post
Share on other sites

You can also password protect grub, so that you can't edit any entry and then boot single mode this way without requiring the password. Also make sure that the hard disk appears in boot order before the cdrom, then they can't boot from cd, and password protect the bios too. Then there's no way for them to get around it all.

Share this post


Link to post
Share on other sites

I think BIOS psswd and removing CDROM from boot selection is the way to go for now to at least plug up those holes. Not experienced enough to mess with GRUB yet but also sounds like a great option, because I think you can still pass "single" to the kernel at the bootsplash or the option to enter the console at the login screen so yes protecting GRUB is something to look into.

 

Thanks

Share this post


Link to post
Share on other sites

Yes, you can edit the line in grub and boot it one time without permanent change. The password option stops you making edits, and so cannot boot single user mode.

Share this post


Link to post
Share on other sites
Guest Arvi Pingus
Yes, you can edit the line in grub and boot it one time without permanent change. The password option stops you making edits.
Being not that familiar with Grub.

Can you explain a bit more the option 'boot without permanent change'

and the same for 'The password option stops you making edits'?

 

I am a bit confused. I recently read about the feature request of making Grub password protected. (hm where did I read it?)

So having to enter a password before getting access to grub. (above BIOS password check it would be a great lock for preventing entrance)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...