I guess this is more of a general linux question than a fedora one, but since I use fedora...
A friend of mine (a Windows afficionado, but not experienced with linux), and I were talking about recent examples where folk were required by the court to provide the password for their laptop. That lead to a beer-induced thought problem:
In linux, is it possible to dictate two different actions upon login with different passwords? For instance, given an encrypted file dat.txt, could one have a login such that:
login: billo Password: Password1 Action: bring up shell
login: billo Password: Password2 Action: delete dat.txt, then bring up shell
Assume some arbitrary level of encryption. I guess with just file encryption (e.g. dat.gpg) it's not a loging problem. So assume there's encryption of the home directory or of the /home partition.
I couldn't think of any. There are a thousand ways to delete a file on login, of course, but I couldn't think of a way to accept two different passwords. The closest I could come up with was to have two different accounts with the same userid but different usernames in /etc/password, with a different initial startup for each. But that would provide two different usernames...
billo
On Mon, Dec 30, 2013 at 11:25 PM, Bill Oliver vendor@billoblog.com wrote:
In linux, is it possible to dictate two different actions upon login with different passwords?
Short answer: no.
Longer answer: in computing almost anything is possible if you really want to achieve it. Given that on Unix-style systems, including Linux, the login program can be changed, you can modify the source to do what you want. Of course you'll need to have superuser privileges to install it in place of the system standard. Note that doing this may well open a can of worms, e.g. you might have to modify the format of the password file (and hence the library routines that access it), possibly fiddle with SElinux settings, etc. etc.
If the conditions are relaxed slightly you can get a partial solution using the standard login: write a Shell startup script (.profile or whatever) that allows the user to discriminate between the two modes, e.g. by using a timeout, detecting the initial state of the Shift (or Control or whatever) key etc., in a way that is hopefully non-obvious to an observer. Probably not reliable enough for serious use.
Conclusion: better look for some other way to cover your tracks, and note that a forensic investigation can be carried out without having you log in at all.
poc
On Tue, 31 Dec 2013, Patrick O'Callaghan wrote:
On Mon, Dec 30, 2013 at 11:25 PM, Bill Oliver vendor@billoblog.com wrote:
In linux, is it possible to dictate two different actions upon login with different passwords?Short answer: no.
Longer answer: in computing almost anything is possible if you really want to achieve it. Given that on Unix-style systems, including Linux, the login program can be changed, you can modify the source to do what you want. Of course you'll need to have superuser privileges to install it in place of the system standard. Note that doing this may well open a can of worms, e.g. you might have to modify the format of the password file (and hence the library routines that access it), possibly fiddle with SElinux settings, etc. etc.
If the conditions are relaxed slightly you can get a partial solution using the standard login: write a Shell startup script (.profile or whatever) that allows the user to discriminate between the two modes, e.g. by using a timeout, detecting the initial state of the Shift (or Control or whatever) key etc., in a way that is hopefully non-obvious to an observer. Probably not reliable enough for serious use.
Conclusion: better look for some other way to cover your tracks, and note that a forensic investigation can be carried out without having you log in at all.
poc
Yeah, that's what I thought. I'm a little surprised that there hasn't been a variant of linux developed for areas with intrusive government surveillance. I recently noticed that the government of Venezuela has a government-developed distro (Canaima); think there's some back doors in that? One would think that there would be a movement to provide anti-governmental variants.
I know there's no perfect security. Back in the day, I had an acquaintance whose job was to break into houses and install keyloggers on machines in people's homes. Of course that was back when we still believed in silly things like search warrants.
Sigh. I guess I'll just have to continue keeping my plans for world domination on my brother-in-law's computer... (Just kidding, NSA).
billo
On 12/30/2013 08:03 PM, Bill Oliver wrote:
On Tue, 31 Dec 2013, Patrick O'Callaghan wrote:
On Mon, Dec 30, 2013 at 11:25 PM, Bill Oliver vendor@billoblog.com wrote:
In linux, is it possible to dictate two different actions uponlogin with different passwords?
Short answer: no.
Longer answer: in computing almost anything is possible if you really want to achieve it. Given that on Unix-style systems, including Linux, the login program can be changed, you can modify the source to do what you want. Of course you'll need to have superuser privileges to install it in place of the system standard. Note that doing this may well open a can of worms, e.g. you might have to modify the format of the password file (and hence the library routines that access it), possibly fiddle with SElinux settings, etc. etc.
If the conditions are relaxed slightly you can get a partial solution using the standard login: write a Shell startup script (.profile or whatever) that allows the user to discriminate between the two modes, e.g. by using a timeout, detecting the initial state of the Shift (or Control or whatever) key etc., in a way that is hopefully non-obvious to an observer. Probably not reliable enough for serious use.
Conclusion: better look for some other way to cover your tracks, and note that a forensic investigation can be carried out without having you log in at all.
poc
Yeah, that's what I thought. I'm a little surprised that there hasn't been a variant of linux developed for areas with intrusive government surveillance. I recently noticed that the government of Venezuela has a government-developed distro (Canaima); think there's some back doors in that? One would think that there would be a movement to provide anti-governmental variants.
I know there's no perfect security. Back in the day, I had an acquaintance whose job was to break into houses and install keyloggers on machines in people's homes. Of course that was back when we still believed in silly things like search warrants.
Sigh. I guess I'll just have to continue keeping my plans for world domination on my brother-in-law's computer... (Just kidding, NSA).
One approach is to put your important stuff on an encrypted partition that is not auto mounted. Mount it only when needed, then unmount it.
On Mon, 30 Dec 2013, Robert Moskowitz wrote:
One approach is to put your important stuff on an encrypted partition that is not auto mounted. Mount it only when needed, then unmount it.
Yeah, but poc was right in that if you have an image of the disk, you will know that there's an encrypted partition there, and you can get a court order to force the password. Since you have no fourth amamendment rights upon entry to the country at the moment, the government does not need a warrant to seize your laptop and/or make an image of it to play with at one's leisure. Of course, even having a good password is no guarantee any more.
billo
On Tue, Dec 31, 2013 at 01:26:22 +0000, Bill Oliver vendor@billoblog.com wrote:
Yeah, but poc was right in that if you have an image of the disk, you will know that there's an encrypted partition there, and you can get a court order to force the password. Since you have no fourth amamendment rights upon entry to the country at the moment, the government does not need a warrant to seize your laptop and/or make an image of it to play with at one's leisure. Of course, even having a good password is no guarantee any more.
In the US you probably can't be ordered to provide your password. If you are transiting the border it is probably best not to take sensitive data with you. It will normally be safer to use the internet to transfer the data after you have crossed the border.
On Mon, Dec 30, 2013 at 11:03:49PM -0600, Bruno Wolff III wrote:
On Tue, Dec 31, 2013 at 01:26:22 +0000, Bill Oliver vendor@billoblog.com wrote:
Yeah, but poc was right in that if you have an image of the disk, you will know that there's an encrypted partition there, and you can get a court order to force the password. Since you have no fourth amamendment rights upon entry to the country at the moment, the government does not need a warrant to seize your laptop and/or make an image of it to play with at one's leisure. Of course, even having a good password is no guarantee any more.
In the US you probably can't be ordered to provide your password. If you are transiting the border it is probably best not to take sensitive data with you. It will normally be safer to use the internet to transfer the data after you have crossed the border.
It is very much a grey area, but it may not really matter. They can always keep your data and analyse later; more importantly refusal to divulge passwords could be grounds for denial of entry (only for non-US citizens).
https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
In the US you *can* be ordered to provide a password. Though appeals are still working their way up to the Supreme Court, various courts have said you must, while others have said that you may not. See, for instance:
http://privacycast.com/encryption-key-disclosure-ordered-federal-court-fifth...
http://www.techdirt.com/articles/20130425/08171522834/judge-says-giving-up-y...
Thus, it currently in the stage where it depends on what jurisdiction you are in. I am not confident that the Supreme Court will side with privacy or 5th amendment rights.
billo
On Mon, 30 Dec 2013, Bruno Wolff III wrote:
On Tue, Dec 31, 2013 at 01:26:22 +0000, Bill Oliver vendor@billoblog.com wrote:
Yeah, but poc was right in that if you have an image of the disk, you will know that there's an encrypted partition there, and you can get a court order to force the password. Since you have no fourth amamendment rights upon entry to the country at the moment, the government does not need a warrant to seize your laptop and/or make an image of it to play with at one's leisure. Of course, even having a good password is no guarantee any more.
In the US you probably can't be ordered to provide your password. If you are transiting the border it is probably best not to take sensitive data with you. It will normally be safer to use the internet to transfer the data after you have crossed the border.
On Tue, Dec 31, 2013 at 1:03 AM, Bill Oliver vendor@billoblog.com wrote:
Yeah, that's what I thought. I'm a little surprised that there hasn't been a variant of linux developed for areas with intrusive government surveillance. I recently noticed that the government of Venezuela has a government-developed distro (Canaima); think there's some back doors in that? One would think that there would be a movement to provide anti-governmental variants.
I lived in Venezuela for over 30 years until about 6 months ago, so I know a few of the people involved in the Canaima distro. AFAIK it's basically Debian with a few localization changes. The reason for its development is largely political but I seriously doubt that it has deliberate backdoors (the people I know would not be party to that), though of course you can never be sure. Most users even within the government are still on Windows, in fact at least until recently some government websites still only worked properly with Internet Exploder :-)
poc
On Tue, Dec 31, 2013 at 14:13:11 +0000, Bill Oliver vendor@billoblog.com wrote:
In the US you *can* be ordered to provide a password. Though appeals are still working their way up to the Supreme Court, various courts have said you must, while others have said that you may not. See, for instance:
http://privacycast.com/encryption-key-disclosure-ordered-federal-court-fifth...
http://www.techdirt.com/articles/20130425/08171522834/judge-says-giving-up-y...
Thus, it currently in the stage where it depends on what jurisdiction you are in. I am not confident that the Supreme Court will side with privacy or 5th amendment rights.
While this isn't settled, the main theme where people were ordered to provide passwords have been where it was already known what was on the machine before hand. Either because customs saw what appered to be child porn and then couldn't get the data back afterwards or when someone stated they had some particular information on their machine.
And of course in civil cases (such as copyright suits), you might lose by default if you don't provide the requested data.
On Tue, 31 Dec 2013, Bruno Wolff III wrote:
On Tue, Dec 31, 2013 at 14:13:11 +0000, Bill Oliver vendor@billoblog.com wrote:
In the US you *can* be ordered to provide a password. Though appeals are still working their way up to the Supreme Court, various courts have said you must, while others have said that you may not. See, for instance:
http://privacycast.com/encryption-key-disclosure-ordered-federal-court-fifth...
http://www.techdirt.com/articles/20130425/08171522834/judge-says-giving-up-y...
Thus, it currently in the stage where it depends on what jurisdiction you are in. I am not confident that the Supreme Court will side with privacy or 5th amendment rights.
While this isn't settled, the main theme where people were ordered to provide passwords have been where it was already known what was on the machine before hand. Either because customs saw what appered to be child porn and then couldn't get the data back afterwards or when someone stated they had some particular information on their machine.
And of course in civil cases (such as copyright suits), you might lose by default if you don't provide the requested data.
Heh. I used to say that about the people I knew in the US federal govt, too.
billo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/30/2013 08:09 PM, Robert Moskowitz wrote:
On 12/30/2013 08:03 PM, Bill Oliver wrote:
On Tue, 31 Dec 2013, Patrick O'Callaghan wrote:
On Mon, Dec 30, 2013 at 11:25 PM, Bill Oliver vendor@billoblog.com wrote:
In linux, is it possible to dictate two different actions upon login with different passwords?
Short answer: no.
Longer answer: in computing almost anything is possible if you really want to achieve it. Given that on Unix-style systems, including Linux, the login program can be changed, you can modify the source to do what you want. Of course you'll need to have superuser privileges to install it in place of the system standard. Note that doing this may well open a can of worms, e.g. you might have to modify the format of the password file (and hence the library routines that access it), possibly fiddle with SElinux settings, etc. etc.
If the conditions are relaxed slightly you can get a partial solution using the standard login: write a Shell startup script (.profile or whatever) that allows the user to discriminate between the two modes, e.g. by using a timeout, detecting the initial state of the Shift (or Control or whatever) key etc., in a way that is hopefully non-obvious to an observer. Probably not reliable enough for serious use.
Conclusion: better look for some other way to cover your tracks, and note that a forensic investigation can be carried out without having you log in at all.
poc
You could setup a pam module that would work with the login shell to do different things based on the password.
Around 12:43am on Tuesday, December 31, 2013 (UK time), Patrick O'Callaghan wrote:
Conclusion: better look for some other way to cover your tracks, and note that a forensic investigation can be carried out without having you log in at all.
Just to emphasise what Patrick says, if you boot Linux into singe user mode, you can get root access without needing a password, which would bypass any setup you had done this way.
You would be better off using disc encryption, and claiming that you used a long pass phrase which you had written down rather than remembered, and that you had destroyed the paper it was written on.
Steve
On Jan 2, 2014, at 9:32 AM, Steve Searle steve@stevesearle.com wrote:
Around 12:43am on Tuesday, December 31, 2013 (UK time), Patrick O'Callaghan wrote:
Conclusion: better look for some other way to cover your tracks, and note that a forensic investigation can be carried out without having you log in at all.
Just to emphasise what Patrick says, if you boot Linux into singe user mode, you can get root access without needing a password, which would bypass any setup you had done this way.
Not on Fedora 20 at least, and I think since even Fedora 19, if you use "single" boot param you startup to rescue.target. It asks for a root password or to press Control-D to continue. If I control-D to continue, startup proceeds to default.target. That's typically multi-user.target (runlevel 3), or graphical.target (runlevel 5).
I could boot from alternate media, and presumably mount and chroot this installation, and compel a change to the root password. But apparently not from the installation itself.
Chris Murphy
Around 06:12pm on Thursday, January 02, 2014 (UK time), Chris Murphy wrote:
On Jan 2, 2014, at 9:32 AM, Steve Searle steve@stevesearle.com wrote:
Not on Fedora 20 at least, and I think since even Fedora 19, if you use "single" boot param you startup to rescue.target. It asks for a root password or to press Control-D to continue. If I control-D to continue, startup proceeds to default.target. That's typically multi-user.target (runlevel 3), or graphical.target (runlevel 5).
Ah - cheers. I've not tried it for a long time. I better not forget my root password then :-)
Steve
On Jan 2, 2014 11:12 AM, "Chris Murphy" lists@colorremedies.com wrote:
On Jan 2, 2014, at 9:32 AM, Steve Searle steve@stevesearle.com wrote:
Around 12:43am on Tuesday, December 31, 2013 (UK time), Patrick
O'Callaghan wrote:
Conclusion: better look for some other way to cover your tracks, and
note
that a forensic investigation can be carried out without having you
log in
at all.
Just to emphasise what Patrick says, if you boot Linux into singe user mode, you can get root access without needing a password, which would bypass any setup you had done this way.
Not on Fedora 20 at least, and I think since even Fedora 19, if you use
"single" boot param you startup to rescue.target. It asks for a root password or to press Control-D to continue. If I control-D to continue, startup proceeds to default.target. That's typically multi-user.target (runlevel 3), or graphical.target (runlevel 5).
I could boot from alternate media, and presumably mount and chroot this
installation, and compel a change to the root password. But apparently not from the installation itself.
Chris Murphy
The kernel still accepts "init=/bin/sh" . An encrypted volume definitely slows things down, but physical access gives a lot of freedom.
--Pete
On 01/02/2014 08:32 AM, Steve Searle wrote:
You would be better off using disc encryption, and claiming that you used a long pass phrase which you had written down rather than remembered, and that you had destroyed the paper it was written on.
Just to toss an idea out here. Imagine an accountant who has all of his work data on a big partition mounted at (let's say) /data. If he wanted to hide a "second set of books," he could close his accounting program, unmount the partition and restart the program, so that /data now pointed to someplace on his main partition. When he's done, he exits and remounts the partition. The data's there, you can get to it if you know what to do, but I can't help but wonder how likely anybody, such as a forensic accountant, that was examining your system would even think of such a thing. Any thoughts?
On Thu, 2 Jan 2014, Joe Zeff wrote:
On 01/02/2014 08:32 AM, Steve Searle wrote:
You would be better off using disc encryption, and claiming that you used a long pass phrase which you had written down rather than remembered, and that you had destroyed the paper it was written on.
Just to toss an idea out here. Imagine an accountant who has all of his work data on a big partition mounted at (let's say) /data. If he wanted to hide a "second set of books," he could close his accounting program, unmount the partition and restart the program, so that /data now pointed to someplace on his main partition. When he's done, he exits and remounts the partition. The data's there, you can get to it if you know what to do, but I can't help but wonder how likely anybody, such as a forensic accountant, that was examining your system would even think of such a thing. Any thoughts?
1) friend of mine many years ago used to do that -- while working full-time for a company, he created a separate filesystem on the company server for his own stuff that he would mount manually.
2) any forensic analyst that would be fooled by something like that would be a total incompetent.
rday
On 01/02/2014 12:30 PM, Robert P. J. Day wrote:
friend of mine many years ago used to do that -- while working full-time for a company, he created a separate filesystem on the company server for his own stuff that he would mount manually.
any forensic analyst that would be fooled by something like that would be a total incompetent.
No, you've got it backwards. Your friend put things on a separate file system that wasn't normally mounted. (Why isn't that partition mounted? Let's mount it and take a look.) I'm suggesting the exact opposite: unmount the partition with normal data on it to hide your data. Still, your second comment may well be true; that's why I'm asking.
On Thu, 2 Jan 2014, Joe Zeff wrote:
On 01/02/2014 08:32 AM, Steve Searle wrote:
You would be better off using disc encryption, and claiming that you used a long pass phrase which you had written down rather than remembered, and that you had destroyed the paper it was written on.
Just to toss an idea out here. Imagine an accountant who has all of his work data on a big partition mounted at (let's say) /data. If he wanted to hide a "second set of books," he could close his accounting program, unmount the partition and restart the program, so that /data now pointed to someplace on his main partition. When he's done, he exits and remounts the partition. The data's there, you can get to it if you know what to do, but I can't help but wonder how likely anybody, such as a forensic accountant, that was examining your system would even think of such a thing. Any thoughts?
A forensic accountant might not see it, since they aren't trained in computer forensics. However, any computer forensics guy will see it (and give it to the accountant).
billo
On 01/02/2014 12:47 PM, Bill Oliver wrote:
A forensic accountant might not see it, since they aren't trained in computer forensics. However, any computer forensics guy will see it (and give it to the accountant).
Rather what I thought. A clever idea that sounds good enough for a book, movie or TV show but probably wouldn't work in Real Life.
On 14-01-02 13:12:31, Chris Murphy wrote:
On Jan 2, 2014, at 9:32 AM, Steve Searle steve@stevesearle.com wrote:
Around 12:43am on Tuesday, December 31, 2013 (UK time), Patrick O'Callaghan wrote:
Conclusion: better look for some other way to cover your tracks, and note that a forensic investigation can be carried out without having you log in at all.
Just to emphasise what Patrick says, if you boot Linux into singe user mode, you can get root access without needing a password, which would bypass any setup you had done this way.
Not on Fedora 20 at least, and I think since even Fedora 19, if you use "single" boot param you startup to rescue.target. It asks for a root password or to press Control-D to continue. If I control-D to continue, startup proceeds to default.target. That's typically multi-user.target (runlevel 3), or graphical.target (runlevel 5).
I could boot from alternate media, and presumably mount and chroot this installation, and compel a change to the root password. But apparently not from the installation itself.
There are also initrd break targets, documented in `man dracut.cmdline`:
"rd.break={cmdline|pre-udev|pre-trigger|initqueue|pre-mount|mount |pre-pivot|cleanup} drop to a shell on defined breakpoint"
See `man dracut.bootup` to find out when they happen.
-
Bruno Wolff III -
Chris Murphy -
Daniel J Walsh -
Joe Zeff -
Patrick O'Callaghan -
Pete Travis -
Robert Moskowitz -
Robert P. J. Day -
Steve Searle -
Suvayu Ali -
Tony Nelson -
William Oliver