Mario 'BitKoenig' Holbe wrote: > Package: initramfs-tools > Version: 0.92l > > Hello, > > initrams created by initramfs-tools default to opening shell access to > the system on errors. This is an insecure default. Errors can be induced > on otherwise secured systems in many ways, like plugging in USB sticks, > eSATA devices, entering wrong passphrases, or whatever. > The rest of the system tries to ensure not to give away unauthorized > (root) shells by asking for passwords when entering maintenance or > single user mode, etc. > > I know that initrams can be tweaked not to bail to a shell as a > side-effect of setting the panic= kernel parameter. However, users have > to explicitely choose this secure way. A cleaner approach w.r.t. secure > defaults, IMHO, would be to let users choose the insecure way by > setting a `bailtoshell' parameter or something like that (probably at > the kernel commandline to allow emergency intervention). > > I'm not sure about the severity of this bug report, so I leave that up > to you. > > > regards > Mario
When this happens no service is running, that can enable remote login on the system If someone has physical access to the system the described procedure (live usb/cd/dvd) could not be prevented. I prefer there for encrypting all including the root fs too. Last experience with initramfs and 2.6.26-1 is impressing me, I don't see such a problem with it. initrd was created with dm-crypt module and the boot process (/init script) asked for password. The only problem I see is when you have more than one encrypted root attached. It takes always the first one. regards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
