On Tue, 2012-05-15 at 01:40 -0700, mahdieh salamat wrote: > Thanks all,I have an other question.certainly you see this message in > startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for > command prompt." > after see it if press any key you enter to an other mode and if you type > '?' you can see the lists of commands.I want to remove this mode,It's so > important that a user can't accss to this mode.
Set autoboot_delay="-1" in /boot/loader.conf. See /boot/defaults/loader.conf for more information. > Who can help me? > Thanks > > > > ---------- Forwarded message ---------- > From: mahdieh salamat <[email protected]> > Date: Mon, May 14, 2012 at 4:29 AM > Subject: Re: Single user mode > To: Vahid Shokouhi <[email protected]> > > > I really thank you,it's a really perfect forum,I searched more and more to > find a persian website about FreeBSD,now i find it.Thank you > > > On Mon, May 14, 2012 at 2:33 AM, Vahid Shokouhi > <[email protected]>wrote: > > > You are most welcome. > > > > [I don't know if you know this place, assuming you don't know, I let you > > know] : > > > > www.imenpardis.com > > > > This site which is actually for "Imen Pardis" company, is owned by > > Mr.Babak Farrokhi, who is a famous port-maintainer in freeBSD project (The > > only person in the middle east), and author of a great book on FreeBSD > > administration. He is a guru in all Unix family: Unix, Solaris, BDS, Linux > > ; you can google his name and get some info about him. He is a well-known > > Unix expert in the world. > > You can join its forum and can ask your question and also help others > > solve their problem. I don't know all people in the forum, but as > > Mr.Farrokhi is always supportive and available to answer your question, you > > can get the right answer from the right person. If I know one word in > > FreeBSD, he knows thousands.. > > > > Regards > > > > > > > > > > > > > > > > > > > > On 2012-05-14 13:08, mahdieh salamat wrote: > > > >> thanks dear vahid,it was so useful for me.I will edit /etc/tty. > >> Thanks alot > >> > >> On Sun, May 13, 2012 at 11:58 PM, Vahid Shokouhi > >> <[email protected] [1]> wrote: > >> > >> Hi > >>> > >>> Well, there are 2 approaches to any machine security. First, You > >>> have a fresh machine and it's supposed to be only for you; second, > >>> you are admin of a machine which others have access to machine for > >>> their work purpose. Your question seems close to first scenario. > >>> > >>> As I wrote before, yes it's possible (by default) that any user > >>> gain access to your machine resources in single-user mode; so we > >>> talked about editing /etc/tty. The other place which needs to be > >>> take caring of, is /ETC/LOGIN.ACCESS ; every time a user wants to > >>> > >>> log in, FreeBSD check this files and it's rules. By default there > >>> > >> is > >> > >>> NO rule defined which means NO restriction to log in. You can > >>> > >> config > >> > >>> this file in 2 ways : [like switch and router's ACL] ; you can use > >>> "_permit-based_" rules - in which you first permit specific user(s) > >>> and then deny others. And you can _"deny-based_" rules - in which > >>> > >>> you deny ALL and then permit some one. You should be familiar with > >>> syntax and format of this file, for example it uses "+" to give > >>> access and "-" to reject access. For example : > >>> > >>> > >>> > >>> The following is "permit-based"; it gives "wheel" group console > >>> access and rejects the others (ALL). note the "+" & "-" > >>> > >>> +:WHEEL: CONSOLE > >>> -:ALL:CONSOLE > >>> > >>> > >>> The following is "deny-based". note the syntax that how "permit" is > >>> given: > >>> > >>> -:ALL EXCEPT WHEEL: CONSOLE [EXCEPT is permit definer] > >>> > >>> > >>> > >>> > >>> The second format is more preferred and recommended it is both > >>> short and somehow more secure. > >>> > >>> > >>> > >>> > >>> > >>> Anyway, this is for 1st situation that the machine is only yours; > >>> and you can protect your machine with implying some physical-access > >>> rules. But in real world you have to deal the second condition. > >>> > >> Then > >> > >>> you have to focus on many things: limiting users to use any > >>> > >> resource > >> > >>> by editing /ETC/LOGIN.CONF , the permission of files, the flags, > >>> > >>> clearing your machine from unknown/unnecessary users (daemons), > >>> using jail and so on.. > >>> > >>> > >>> > >>> I hope it is helpful for you and give you some hints on securing. > >>> > >>> > >>> > >>> If there is any question, please feel free and don't hesitate to > >>> ask. > >>> > >>> > >>> > >>> Regards > >>> > >>> Vahid Shokouhi > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> On 2012-05-14 09:53, mahdieh salamat wrote: > >>> > >>>> Thanks for yor help, it was so useful, I want to know that when a > >>>> > >>> user > >>> > >>>> is using a machine and he/she doesn't has root's password, can > >>>> > >>> he/she > >>> > >>>> access to it? for example by single user mode or other modes? > >>>> > >>>> On Sun, May 13, 2012 at 6:33 AM, Vahid Shokouhi > >>>> <[email protected] [4]> wrote: > >>>> > >>>> Hi > >>>>> Yes, it is possible to gain access via single-user, but > >>>>> single-user mode is for root user to configure something as he > >>>>> likes; but if the machine is accessible for others, you need to > >>>>> > >>>> edit > >>>> > >>>>> "/etc/tty" to prompt for a password in single user mode, > >>>>> > >>>> although > >>> > >>>> keep in mind anyone with physical access to the machine can > >>>>> > >>>> still > >>> > >>>> retrieve your data through various methods. > >>>>> in /etc/tty note "secure" term which actually has different > >>>>> meaning. It means that you consider, for example "console" as a > >>>>> secure mode; so you have to change it to "insecure". > >>>>> After rebooting and entering single user mode, you will be > >>>>> prompted for a password to get to the shell prompt. > >>>>> > >>>>> On 2012-05-13 17:04, mahdieh salamat wrote: > >>>>> > >>>>> Hi everybody. I have a question about single user mode in > >>>>>> FreeBSD. Security > >>>>>> is so important for me. I want to know that if someone don't > >>>>>> know my root's > >>>>>> password can access to it? In other words in our FreeBSD we > >>>>>> don't have > >>>>>> FreeBSD boot loader menu, we delete it for our users becouse of > >>>>>> security. I > >>>>>> want to know is there any other way except boot loader menu for > >>>>>> our user to > >>>>>> access to our root's password? > >>>>>> Thanks > >>>>>> ______________________________**_________________ > >>>>>> [email protected] [1] mailing list > >>>>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security<http://lists.freebsd.org/mailman/listinfo/freebsd-security>[2] > >>>>>> To unsubscribe, send any mail to > >>>>>> "freebsd-security-unsubscribe@**freebsd.org<[email protected]>[3]" > >>>>>> > >>>>> > >>>> > >>>> > >>>> Links: > >>>> ------ > >>>> [1] mailto:freebsd-security@**freebsd.org<[email protected]> > >>>> [2] > >>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security<http://lists.freebsd.org/mailman/listinfo/freebsd-security> > >>>> [3] > >>>> mailto:freebsd-security-**[email protected]<[email protected]> > >>>> [4] mailto:vahid@vahid-shokouhi.**net <[email protected]> > >>>> > >>> > >>> > >>> > >> > >> > >> > >> Links: > >> ------ > >> [1] mailto:vahid@vahid-shokouhi.**net <[email protected]> > >> > > > > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
