Request for Review - Fedora Security Basics
Felipe Alfaro Solana
felipe.alfaro at gmail.com
Mon Oct 10 09:02:45 UTC 2005
> You have no real way to protect someone from getting into to your system
> if the intruder has physical access. Such questions come up pretty
> frequently. In general, Fedora systems have good defaults where
> developers have analyzed and settled upon something or the other. While
> we explain security in such documents we need to document the other
> potential ways the system can be configured to be secured better and
> explain why the defaults are such. Its a given that we want the
> defaults to be as secure as possible, so we should be proactive about
> reporting enhancements to make it as such instead of documenting
> workarounds wherever possible.
I agree that having physical access to the machine could make easy for
an intruder to get into it, but sometimes the intruder has limited
physical access, that is, the intruder can't steal the hard drive or
the machine, only sit at the keyboard, restart the machine into
single-user mode and reset the root password (and yes, I know I we can
use a GRUB password).
I think the "you've got physical access, you're lost" sentence is not
a reason enough not to modify "/etc/inittab" and put "sulogin" for
singleuser. Other distros do it and I really appreciate this extra
level of security. It's not usually a burden for a legit sysadmin, and
it makes a little bit more difficult to get root access for non
authorized people.
More information about the docs
mailing list