This is a security hole ONLY if someone has access to the machine itself. I bet many UNIX machines have a similar problem. Thats why I've seen PDP mini computers where the power switch was under lock and key, and the front panel on these machines was also lockable. Most PC's used to have a keyboard lock switch on the box which will render the machine safe from such an attack (but unless the power switch is locked someone could at least bring the thing down!) Don't bother trying to fix this in software, to be secure from such an attack you must secure the HARDWARE!!!!! ------------------------------------------------------- On Sat, 10 Oct 1998 10:42:52 +0100, Ralf G. R. Bergs wrote:
>On Sat, 10 Oct 1998 00:52:49 -0700 (PDT), George Bonser wrote: > >[...] >>ALlow me to translate. Boot the rescue disk as if you are installing, >[whole story deleted] > >Hey guys, why so complicated??? > >What's wrong with giving LILO a kernel command line of "init=/bin/sh"? This way >you boot straight into sh, and you can then change the root password. > >This is how I usually do it under Slackware, and even tho Debian uses shadow >passwords it should work the same way. Ouch, I tried it, it really works!!!! That means on a standard Linux-machine, everybody could just switch off the power, give the LILO-kernel option on reboot and be root??!! Why not simply drop the need of a login password? _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
