Dear All
I have noticed that from SLAX liveCD, one has total and free access to the home partition of all Linux (Fedora) accounts in the hard-disk of the computer. In this way, with a SLAX disk, everyone can spy all accounts in the hard-disk. How can this be prevented?
Thanks in advance,
Paul
On Friday 09 December 2005 13:58, Paul Smith wrote:
I have noticed that from SLAX liveCD, one has total and free access to the home partition of all Linux (Fedora) accounts in the hard-disk of the computer. In this way, with a SLAX disk, everyone can spy all accounts in the hard-disk. How can this be prevented?
Dear Paul
Security is just a theory, it doesn't actually exists. When you talk about security, you are actually talking about a "sense of security".
Each and every single "security" messure can be broken. The main factor is TIME. By adding more and more challenges to potential hackers, you are actually buying time.
In your case, the sensible thing to do would be 1. Setup bios to only boot from hard drive 2. Password protect bios 3. Put a physical lock on the case so they can't open it.
On another note, did you know that you don't even need a live cd?
When you're at the grub screen, press the a key to append 'single' to the kernel and you'll be boot into single user mode where you are root without having to type a password. Solution to that: password protect grub. (see man grub)
HTH
Andy
On Fri, 2005-12-09 at 08:58, Paul Smith wrote:
Dear All
I have noticed that from SLAX liveCD, one has total and free access to the home partition of all Linux (Fedora) accounts in the hard-disk of the computer. In this way, with a SLAX disk, everyone can spy all accounts in the hard-disk. How can this be prevented?
Thanks in advance,
Paul
As others have pointed out, if you do not have physical security of your system there is no way to prevent someone from accessing the system. The only thing that can be done is to encrypt your data files and keep the keys or passwords protected. But even that does not guarantee that someone won't be able to break the encryption given enough time and resources.
This is true of any system out there. This is why many companies institute a two man rule for some equipment rooms. If someone needs access to the cage with sensitive servers/data two people must enter and leave the room at the same time. The idea is that no one is left alone with the equipment. They also will have cameras recording anything that happens.
Paul Smith wrote:
Dear All
I have noticed that from SLAX liveCD, one has total and free access to the home partition of all Linux (Fedora) accounts in the hard-disk of the computer. In this way, with a SLAX disk, everyone can spy all accounts in the hard-disk. How can this be prevented?
If you have phyical access to a machchine, you have always the complete control over the machine. You can boot with rescure CD and set root's password to whatever you want. That's not a big risk though!
In your case encrypting the home partitions would be a solution. Try 'man cryptsetup' on a Linux 2.6 machine. There are plenty of documents concerning partition encrpting. Google helps!
Use ecnryption only if you understand, what you are doing!!
greets Boris
"PS" == Paul Smith phhs80@gmail.com writes:
PS> I have noticed that from SLAX liveCD, one has total and PS> free access to the home partition of all Linux (Fedora) accounts PS> in the hard-disk of the computer.
If you can boot a machine with the media of your choice and that machine doesn't require some soft of external input to access encrypted data then you have free run of it. It doesn't really matter what OS you're running on it. They could just as well pull out the hard drive and access it at their leisure. If they have physical access to a machine, they can do what they will. There's nothing special about the SLAX CD or even Linux that allows this.
PS> In this way, with a SLAX disk, everyone can spy all accounts in PS> the hard-disk. How can this be prevented?
The basic measure is to password protect the BIOS and disable booting from anything but the hard drive. It is theoretically possible to encrypt all of the drives and then either require user input or the presence of some external device like a USB fob containing encryption keys. Perhaps there's a more paranoid Linux distro out there which supports this.
- J<
Thanks for the whole discussion. I was not aware of such security vulnerabilities.
Paul
On Fri, 2005-12-09 at 10:58, Paul Smith wrote:
Thanks for the whole discussion. I was not aware of such security vulnerabilities.
Paul
This is also why you should view security in layers not just on the perimeter. Good locks will provide the bulk of your security. Most security threats are not from external sources but from internal users/admins.
You have to evaluate the threats in your environment and determine which are more likely to occur and what the costs are to mitigate those risks vs. not protecting your systems. Each situation will be different.
Trusted Platform Module (TPM), does it help? Can it at all deliver these functions being discussed? I mean does FC4 support this technology? Of course data has to be encrypted, else the data fashions invisible clothing.
On 12/9/05, Jason L Tibbitts III tibbs@math.uh.edu wrote:
The basic measure is to password protect the BIOS and disable booting from anything but the hard drive. It is theoretically possible to encrypt all of the drives and then either require user input or the presence of some external device like a USB fob containing encryption keys. Perhaps there's a more paranoid Linux distro out there which supports this.
-- Anil Kumar Shrama
got to add....
On 12/10/05, Anil Kumar Sharma xplusaks@gmail.com wrote:
Trusted Platform Module (TPM), does it help? Can it at all deliver these functions being discussed? I mean does FC4 support this technology? Of course data has to be encrypted, else the data fashions invisible clothing.
Also, TPM is on mobo, it can even be on hdd (or flash) where the data is. But again data has to be stored encrypted. So it leads to Hardware encryption via TPM', no penalty on CPU, HDD handles compressed data.
-- Anil Kumar Shrama
Intel released there TPM soon after 9-11 following the release of there S-ATA specs
http://www.intel.com/cd/channel/reseller/asmo-na/eng/new_tech_and_intel_alli...
Intel is well on-top of the topic at hand.
----- Original Message ----- From: Anil Kumar Sharma To: For users of Fedora Core releases Sent: Friday, December 09, 2005 1:02 PM Subject: Re: Security hole
got to add....
On 12/10/05, Anil Kumar Sharma <xplusaks@gmail.com > wrote: Trusted Platform Module (TPM), does it help? Can it at all deliver these functions being discussed? I mean does FC4 support this technology? Of course data has to be encrypted, else the data fashions invisible clothing.
Also, TPM is on mobo, it can even be on hdd (or flash) where the data is. But again data has to be stored encrypted. So it leads to Hardware encryption via TPM', no penalty on CPU, HDD handles compressed data.
-- Anil Kumar Shrama
------------------------------------------------------------------------------
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
On Sat, Dec 10, 2005 at 02:32:23 +0530, Anil Kumar Sharma xplusaks@gmail.com wrote:
got to add....
On 12/10/05, Anil Kumar Sharma xplusaks@gmail.com wrote:
Trusted Platform Module (TPM), does it help? Can it at all deliver these functions being discussed? I mean does FC4 support this technology? Of course data has to be encrypted, else the data fashions invisible clothing.
Also, TPM is on mobo, it can even be on hdd (or flash) where the data is. But again data has to be stored encrypted. So it leads to Hardware encryption via TPM', no penalty on CPU, HDD handles compressed data.
TPM won't help as they can pull the disk. TPM is used to ensure that the OS running is the one it is supposed to be. It doesn't apply to hard disks.
I wouldn't trust built in HDD encryption for some purposes, as that probably has a back door for law enforcement as hard drive manufacturers would be pressured into doing that. And if there is a back door for LE other groups might have access to it as well.
What you should do depends on what your threat model is. How valuable is the data. How much would it hurt if other people saw it, it was lost, or it was changed. What resources do your adversaries have available. What are the odds of a natural disaster or accidental distaster occuring.
On Fri, 2005-12-09 at 13:58 +0000, Paul Smith wrote:
I have noticed that from SLAX liveCD, one has total and free access to the home partition of all Linux (Fedora) accounts in the hard-disk of the computer. In this way, with a SLAX disk, everyone can spy all accounts in the hard-disk. How can this be prevented?
Only by encryption.
Most operating systems only provide some sort of security that makes it difficult for someone else to log on. If you can log on, or you can avoid using that OS, you can read the files.
Usernames and passwords are pretty much like keys to enter private rooms. All they do is make entry difficult. They do nothing to directly protect the contents.
On Fri, 2005-12-09 at 13:58 +0000, Paul Smith wrote:
Dear All
I have noticed that from SLAX liveCD, one has total and free access to the home partition of all Linux (Fedora) accounts in the hard-disk of the computer. In this way, with a SLAX disk, everyone can spy all accounts in the hard-disk. How can this be prevented?
If someone has physical access to your machine, they own your machine. Period. If they can boot off a CD, they own your machine.
You can do some stuff like make it so your computer won't boot off CD, and then password protect the BIOS. That comes closer. But if someone can lay hands on your machine, all they need to do is pop the drive and they own your data.
TC
Thomas Cameron thomas.cameron@camerontech.com writes:
But if someone can lay hands on your machine, all they need to do is pop the drive and they own your data.
Some drives have ATA commands to password protect the disk. This password needs to be entered each time the disk is powered on and without it the disk refuses to honor most disk commands. Its not as good as cryptographically protecting your data, but it should prevent anyone from casually booting from alternate media and reading or even modifying your whole filesystem.
-wolfgang
--- Thomas Cameron thomas.cameron@camerontech.com wrote:
On Fri, 2005-12-09 at 13:58 +0000, Paul Smith wrote:
Dear All
I have noticed that from SLAX liveCD, one has
total and free access to
the home partition of all Linux (Fedora) accounts
in the hard-disk of
the computer. In this way, with a SLAX disk,
everyone can spy all
accounts in the hard-disk. How can this be
prevented?
If someone has physical access to your machine, they own your machine. Period. If they can boot off a CD, they own your machine.
You can do some stuff like make it so your computer won't boot off CD, and then password protect the BIOS. That comes closer. But if someone can lay hands on your machine, all they need to do is pop the drive and they own your data.
TC
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Paul, Did you install LVM automatically from within Anaconda? Because if you did, Slax, Knoppix, Kanotix or any other livecd out there can detect the partitions but not access them except the /boot partition where grub resides and you can make minor corrections. I also use SLAX and have tried to view the partitions and it only allows me to view /boot partition /dev/hda1 which is mounted on /mnt/hda1. Kanotix see's all the partitions but is very selective as to allow read/write, by default the partitions are not mounted and one has the option to open read only or read/write.
My guess is that you do not have LVM partitions. Otherwise Slax cannot access them except for boot partition.
Best Regards,
Antonio
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 12/11/05, Antonio Olivares olivares14031@yahoo.com wrote:
I have noticed that from SLAX liveCD, one has
total and free access to
the home partition of all Linux (Fedora) accounts
in the hard-disk of
the computer. In this way, with a SLAX disk,
everyone can spy all
accounts in the hard-disk. How can this be
prevented?
If someone has physical access to your machine, they own your machine. Period. If they can boot off a CD, they own your machine.
You can do some stuff like make it so your computer won't boot off CD, and then password protect the BIOS. That comes closer. But if someone can lay hands on your machine, all they need to do is pop the drive and they own your data.
Paul, Did you install LVM automatically from within Anaconda? Because if you did, Slax, Knoppix, Kanotix or any other livecd out there can detect the partitions but not access them except the /boot partition where grub resides and you can make minor corrections. I also use SLAX and have tried to view the partitions and it only allows me to view /boot partition /dev/hda1 which is mounted on /mnt/hda1. Kanotix see's all the partitions but is very selective as to allow read/write, by default the partitions are not mounted and one has the option to open read only or read/write.
My guess is that you do not have LVM partitions. Otherwise Slax cannot access them except for boot partition.
Thanks, Antonio. I first need to learn what LVM partitions are to fully understand your post, as I do not know what LVM partitions are.
Paul
--- Paul Smith phhs80@gmail.com wrote:
On 12/11/05, Antonio Olivares olivares14031@yahoo.com wrote:
I have noticed that from SLAX liveCD, one has
total and free access to
the home partition of all Linux (Fedora)
accounts
in the hard-disk of
the computer. In this way, with a SLAX disk,
everyone can spy all
accounts in the hard-disk. How can this be
prevented?
If someone has physical access to your machine,
they
own your machine. Period. If they can boot off a CD, they own
your
machine.
You can do some stuff like make it so your
computer
won't boot off CD, and then password protect the BIOS. That comes closer. But if someone can lay hands on your machine, all they need to
do
is pop the drive and they own your data.
Paul, Did you install LVM automatically from within Anaconda? Because if you did, Slax, Knoppix,
Kanotix
or any other livecd out there can detect the partitions but not access them except the /boot partition where grub resides and you can make
minor
corrections. I also use SLAX and have tried to
view
the partitions and it only allows me to view /boot partition /dev/hda1 which is mounted on /mnt/hda1. Kanotix see's all the partitions but is very
selective
as to allow read/write, by default the partitions
are
not mounted and one has the option to open read
only
or read/write.
My guess is that you do not have LVM partitions. Otherwise Slax cannot access them except for boot partition.
Thanks, Antonio. I first need to learn what LVM partitions are to fully understand your post, as I do not know what LVM partitions are.
Check out http://www.linux.org/docs/ldp/howto/LVM-HOWTO/
This should help understanding LVM
Paul
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Sun, 2005-12-11 at 11:49, Antonio Olivares wrote:
Paul, Did you install LVM automatically from within Anaconda? Because if you did, Slax, Knoppix, Kanotix or any other livecd out there can detect the partitions but not access them except the /boot partition where grub resides and you can make minor corrections.
Don't think of this as a security improvement because you can still access the whole system if you boot the fedora install CD in rescue mode and it is only a matter of time until the other distributions add LVM support.
--- Les Mikesell lesmikesell@gmail.com wrote:
On Sun, 2005-12-11 at 11:49, Antonio Olivares wrote:
Paul, Did you install LVM automatically from within Anaconda? Because if you did, Slax, Knoppix,
Kanotix
or any other livecd out there can detect the partitions but not access them except the /boot partition where grub resides and you can make
minor
corrections.
Don't think of this as a security improvement because you can still access the whole system if you boot the fedora install CD in rescue mode and it is only a matter of time until the other distributions add LVM support.
I agree. We have to be carefull with what we do/load on our computers. It is there to help us, but not a guarantee against disaster.
Some on the slax forum say that one has to modprobe lvm first and we can see the fedora partitions in FC3/FC4. I did not know this because before in FC2 we did not have lvm and slax could see the partitions and read/write to them by default. If we are the ones using the live cd's it might be okay, but if someone else with bad intentions goes in, it could be very dangerous.
Best Regards,
Antonio
-- Les Mikesell lesmikesell@gmail.com
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com