'Twas brillig, and Wolfgang Bornath at 26/04/12 12:05 did gyre and gimble: > 2012/4/26 Guillaume Rousse <[email protected]>: >> Le 26/04/2012 12:12, Thierry Vignaud a écrit : >> >>> On 26 April 2012 11:38, Colin Guthrie<[email protected]> wrote: >>>> >>>> It seems that in mga1 single user mode just gave a shell without >>>> requiring root password. >>>> >>>> I'm not sure when this was added, but in the initscripts changelog, I >>>> see it has come from the big mdvconf patch[1]. >>>> >>>> Can anyone remember the reason for this (perhaps it was related to tcb >>>> support?) and whether or not we should do the same thing in systemd >>>> which currently (now that I've fixed it) uses whatever SINGLE says in >>>> /etc/sysconfig/init. >>> >>> >>> This has been like this forever... >>> At least for the past decade. >>> I think other distros do/did it too. >> >> Some of them force the use of a password for single mode. Given the ease of >> bypassing it through init=/bin/sh, unless the bootloader is also protected, >> I'm a bit sceptic about the interest. > > For ages (Mandrakelinux/Mandriva) it has been > > SINGLE=/sbin/sushell
Yes, but inittab itself just referenced /bin/sh (thus not caring what SINGLE variable was set to). > as default. IMHO this default setting is a security issue. Someone > with access to your machine (in an office or whereever) can simply > turn it on (or first turn it off with the power button), select > failsafe from the boot menue and has all the privileges he wants > without any hurdles to jump. So I've been advocating to change this > entry in /etc/sysconfig/init. > > I've been also recommending users to change the matching line in > /etc/inittab accordingly: > > #Single user mode > ~~:S:wait:/sbin/sulogin > > which does the same. Unfortunately Mandrake/Mandriva developpers did > not share my view. As Guillaume pointed out, if they have physical access, you can also just pass init=/bin/sh to the kernel prompt, so I see little real security benefit here (it maybe raises the bar slightly, but insecure is insecure). Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
