Hi,
I've been informed this is a 'feature' not a 'flaw'..... sound like MS?
rom ljcobb Fri May 11 19:
40:05 2001
Return-Path:
<[EMAIL PROTECTED]>
Delivered-To:
[EMAIL PROTECTED]
Received:
from localhost (localhost.localdomain
[127.0.0.1]) by
localhost.localdomain (Postfix) with ESMTP id
6D6965CF96 for
<ljcobb@localhost>; Fri, 11 May 2001 19:40:05
-0400 (EDT)
Received:
from timestocome.com by localhost with POP3
(fetchmail-5.5.2)
for ljcobb@localhost (single-drop); Fri, 11 May
2001 19:40:05
-0400 (EDT)
Received:
from devserv.devel.redhat.com
(nat-pool-meridian.redhat.com
[199.183.24.200]) by chloris.host4u.net
(8.8.5/8.8.5) with ESMTP
id SAA23996 for <[EMAIL PROTECTED]>; Fri, 11
May 2001
18:26:25 -0500
Received:
(from alan@localhost) by devserv.devel.redhat.com
(8.11.0/8.11.0) id f4BNaI217904; Fri, 11 May 2001
19:36:18 -0400
From:
Alan Cox <[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]>
Subject:
Re: root password security flaw
To:
[EMAIL PROTECTED] (Linda MacPhee-Cobb)
Date:
Fri, 11 May 2001 19:36:18 -0400 (EDT)
CC:
[EMAIL PROTECTED] (Alan)
In-Reply-To:
<[EMAIL PROTECTED]> from "Linda
MacPhee-Cobb" at May 11, 2001 07:26:29 PM
X-Mailer:
ELM [version 2.5 PL3]
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii
Content-Transfer-Encoding:
7bit
Sender:
[EMAIL PROTECTED]
Status:
X-Mozilla-Status:
8013
X-Mozilla-Status2:
00000000
X-UIDL:
3ab240ad0000028e
> > Ok, Now how do you do it.
> > 1: first think up a new password.
> > 2: reboot the machine
> > 3: At lilo prompt type Linux 1
> > 4: at the prompt after you are in type passwd root
> > 5: enter your new password twice.
> > 6: Reboot like normal
> > > **************
> > I tried it on both my and my husband's machines and trivially gained
> > root control.
Well its a PC. So lets firstly look at this objectively
Got a screwdriver. Then you have root access.
Floppy driver and the machine boots floppy first. Then you have root access
In certain environments you dont want people doing this. Lilo allows you to
stop people adding options to the lilo prompt in such cases. Of course a
screwdriver and/or axe still work very well but there are ways to deal
with that in things like libraries.
So no it isnt a bug. Its a configuration item. If you are worried about
people
with screwdrivers (and in corporate data cases you might be..) then you end
up needing hard encryption on all disk contents so even if the bad guys
steal the disk they cant access the data without the decryption key
I suspect however the password options on lilo are what you want.
Alan
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
_______________________________________________
techtalk mailing list
[EMAIL PROTECTED]
http://www.linux.org.uk/mailman/listinfo/techtalk
