* Joco Salvatti <[EMAIL PROTECTED]> [2006-06-21 11:38]:
> My doubts may seem fool, so thanks in advance for those who will read
> this e-mail and may help me with my doubts.
>
> 1. Why doesn't passwd ask superuser's current password when it's run
> by the superuser to change its own password? May not it be considered
> a serious security flaw?
No. you're already root. You can also do:
vipw
cat /etc/master.passwd | sed s/root:.+:/root::/ > /tmp/shit && mv
/tmp/shit /etc/master.passwd && pwd_mkdb
etc. etc. etc.
>
> 2. Why doesn't the system ask the password, as a default action, to
> log in the system, when entering in single user mode? May not it also
> be considered a serious security flaw? And why doesn't exist a
> different password to log in single user mode, instead of using root's
> password?
>
No, because if you have single user mode you have physical
access to the machine. if I have physical access to the machine
I can plug in the usb key around my neck, boot the system on it instead,
mount your disk and do the above from case one.
> An real example:
>
> Let's suppose an attacker entered the room where an OpenBSD server is
> located in, and by mistake the system administrator has forgotten to
> logout the root login session. So the attacker could enter in single
> user mode, without the need for the root password, and load a
> malicious kernel module. He also could do millions of other things,
> but changing root's password, because the system administrator would
> notice it immediatelly.
> I believe it could be more difficult for the attacker if there were a
> different password to log in the system in single user mode.
No, because even if you didn't forget to log out, read the above. If
I have physical access to your machine, you are fucked. it's that
simple. I don't need to have you logged in as root to get single user
- I simply hit the power button, and boot single user, or boot up the
usb key/cdrom/floppy/zaurus-set-up-as-a-boot-server-in-me-pocket that
is in my pocket, which I already have root and all the malicious shit
I want on it and can copy on to your disk. And face it, your machine's
bios is *not* openbsd and is *not* secure. period.
IMNSHO, a root password for single user makes the system *LESS*
secure, and I'm dead serious. I would object to any attempt to commit
changes to OpenBSD to have one by default. Why? Real simple: *because
you asked this question*. - Now I'm not just crapping on you, every
new sysadmin I know asks this. The point is, if OpenBSD put a root
password on single user, you might be tempted to think that somehow,
someway, a not-physically secured machine was secure, and be tempted
to deploy it that way. And don't laugh, I've seen the assumption made
(I work at a university). My point is that putting "security" measures
in place that do not do anything because of equivalent access make
people believe that they *do* do something, and therefore people make
incorrect assumptions and do things insecurely.
"Physical access is everything highness. Anyone who says differently
is selling something."
-Bob
