Thank You for Your time and answer, Arno: >> Hmm. I thought everybody has the same OS behavior in such >> condition... And the problem here is only improper/default >> configuration. > >That could very well be, but I haven't had a boot problem in years >(well, except when trying out systemd). A standard Debian config should >not offer a passwordless root shell unless you explicitly ask for it,
Oh, no! I didn't! :) Do You have an idea where to look for that? - I have no ideas, absolutely. >Early boot messages should be found in /var/log/boot, but bootlogd >seems very hit&miss on my systems. Filesystem checks are logged >in /var/log/fsck. Same here. >It's not about emergency situations, although it certainly can be used >as such. It's about accesss: if anyone has physical access to your >machine, there are so many ways to access your system that it is silly >to protect against one of them. That's right. But it is just a link in a chain of undertakings to protect the computer totally or, to make one's life harder. :) On other hand, if we pursue this idea - that physical access makes a host absolutely undefended, - we can let root account to be password-less - for why worrying? I understand the things You are speaking about - but I want ot all I can to make it more secure - even having physical access to the host. >So yes, protecting yourself from physical attacks by insisting on a >root password is abnormal behaviour. How are you going to prevent an >attacker from opening your PC and connecting the harddisk to his own >machine? Probably, to supply a dynamite? :) - I think it goes beyond Debian security, doesn't it? >> - and in case I want to commit >> what I have targeted, I have to develop the solution myself (that is >> there is no a config. file that I might simply turn on the password >> prompt for root shell in such cases)? > >In short, yes. If you really want to be that paranoid (and there are >good reasons for it, especially on laptops), you should be looking at >encryption as your solution (dm-crypt, truecrypt, bitlocker), not >passwords. Oh, OK... Thanks again. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ed9ffc7.c48dcd0a.3323.ffff8...@mx.google.com