Request for Review - Fedora Security Basics

Tom Diehl tdiehl at rogueind.com
Mon Oct 10 20:06:41 UTC 2005 

On Mon, 10 Oct 2005 esm at logic.net wrote:

> On Sun, Oct 09, 2005 at 07:22:43PM -0400, Tom Diehl wrote:
> > Because requiring a passwd on a box that you can sit in front of and take
> > apart is STUPID!!
> 
> Invalid assumption; one can have access to the console without having
> direct physical access. Think IP-based KVMs, where you can go so far as
> being able to power cycle a system without being able to put hands on the
> machine. Serial consoles are a similar situation.

Well, I will admit I had not thought of that case. :-) In that case they can
still play with grub and bypass the root passwd at boot time, so how does
that help?

I am sure we could argue different corner cases on this forever. :-) I hope
you will agree this is a corner case though.

> 
> Requiring a password for single-user login allows for a breach of KVM or
> serial console server security without opening the attached systems to
> attack. Grub passwords only solve half the problem (modification or misuse
> of the bootloader); single-user passwords prevent the attacker from taking
> advantage of a hardware fault (perhaps one that they triggered). Both are
> necessary to properly secure the boot process when the console can be
> reached over a network or from a shared/less-secured console area.

How does a grub passwd not solve the problem. As someone else already mentioned
if you can modify the bootloader you can run init=/bin/sh from the grub command
line and bypass the passwd checks anyway.

> Granted, this is only an issue for data-center environments generally. I
> just wanted to point it out as a use case that I'm familiar with.

But in a data center environment you already control who is sitting in front
of the console. If you do not then you have other problems. I will admit that
there are exceptions to every rule but in the majority of cases booting to
RL 1 without a passwd is the least of your problems, if you are worried about
security.

My whole point to this goes back to the original concept of "If you have
physical access to the machine it is not secure" I will argue that a grub
passwd does more to protect from the casual user trying to gain root access,
than requiring a passwd for RL-1. It is just too easy to bypass. If as others
have argued the would be cracker only has access to the console but no access
to the physical machine then a grub passwd or simply disabling <ctrl><alt><del>
is the way to go. If they can't reboot it they will never see grub to play with
it.

Regards,

Tom Diehl		tdiehl at rogueind.com		Spamtrap address mtd123 at rogueind.com

More information about the docs mailing list