Re: root access after failed fsck
Sat, 20 Feb 2016 11:52:32 +0100 arrowscr...@mail.com > Wow, that's new to me. Thanks. Yep, the FAQ is pretty new and shiny. FAQ8 general questions. FAQ10 system management. A must read for half the questions you may have in general use. The entire FAQ is the first thing to query before the mailing list. If you are unsure about a man page, check the FAQ and search online. OpenBSD Resources section on the main page is listing the items in order for a specific reason. > Anyway, I still think that this "password rescue" should not be > allowed by default. You'll get flak for this, it is not what you think, it is what's right for the majority of users on the system. Nobody wants to be bothered for workaround, and most people manage quite more than the number of machines you run at home occasionally OpenBSD. > I know operating systems can do very little to prevent physical > problems like side-channel attacks, but this is not the case, and > this does not mean that the OS should not make it harder the attacks > even if someone have physical access. There's systems, from what I > remember (HP servers, I think), that allow remote control based on > firmware. One could use this escape "feature" to get your root, > without physical access. Same for hosts services. If you think this has not been talked and repeated yet... read this message again. > Also, the page 14.21 from faq say "I forgot my passphrase! Sorry. > This is real encryption, there's not a back door or magic unlocking > tool." why exactly the root should be different? The word encryption makes it not equivalent to single user. Consistency should be sought where applicable only, not as a magic wand regular expression. > If one lost his passphrase, it's his fault. I thought the philosophy > was "secure by default", even if this make the "computer difficult to > manage properly". You're not making much sense but if you want to continue, don't say it's somebody shouting at you later. Read the FAQ again and ponder why it is so, and not how it should be according to your single use case.
Re: root access after failed fsck
On 20/02/2016 12:52 μμ, arrowscr...@mail.com wrote: Wow, that's new to me. Thanks. Anyway, I still think that this "password rescue" should not be allowed by default. I know operating systems can do very little to prevent physical problems like side-channel attacks, but this is not the case, and this does not mean that the OS should not make it harder the attacks even if someone have physical access. There's systems, from what I remember (HP servers, I think), that allow remote control based on firmware. One could use this escape "feature" to get your root, without physical access. Same for hosts services. Also, the page 14.21 from faq say "I forgot my passphrase! Sorry. This is real encryption, there's not a back door or magic unlocking tool." why exactly the root should be different? If one lost his passphrase, it's his fault. I thought the philosophy was "secure by default", even if this make the "computer difficult to manage properly". Moreover, this is also the case with most Linux distro's you've probably used in your life. You may have to enter a password on some distro's when in single-user mode, but grub is almost always passwordless, which means you can edit it to set /bin/bash as init, which basically bypasses all such "restrictions". Secure by default does not mean that everything is hardened, as this wouldn't be that practical either. One could argue that file system permissions on binary and library folders could be more strict, or that systrace should have been setup and configured by default, but I think that this by far exceeds what a "secure OS" would be and enforces probable restrictions on sysadmins that they may not want to adhere to. I don't think that the goal of a proactively secure OS like OpenBSD is to be configured to be hardened by default so as to be used by expert or non-expert admins to feel safer, because that would be more misleading than helpful, as Stuart suggested. The goal is to have a generically safe OS where program crashes don't result in privilege escalation that easily and whose code is designed and written with security in mind to reduce vulnerabilities. It's the sysadmins' responsibility to further "secure" their installations and chose which features they'd further add which would probably make OS maintenance more difficult. Having said that, to my understanding, securing physical access by asking the pass phrase in single-user mode in an OS would be more than a marketing thing rather than a security feature per-se. George.
Re: root access after failed fsck
On 2016-02-20, arrowscr...@mail.comwrote: > Wow, that's new to me. Thanks. > Anyway, I still think that this "password rescue" should not be allowed by > default. > Also, the page 14.21 from faq say "I forgot my passphrase! Sorry. This is > real encryption, there's > not a back door or magic unlocking tool." why exactly the root should be > different? If one lost his > passphrase, it's his fault. I thought the philosophy was "secure by default", > even if this make the > "computer difficult to manage properly". Requiring the root password to enter single-user mode would only *reduce* security, by making people feel safer than they are. It's an easy task to boot an install kernel (bsd.rd) or another OS or, if you have physical access to the machine, move the disk to another machine, and access the disk from there. If you don't want people to access the files, encrypt them. Anything else is smoke and mirrors.
Re: root access after failed fsck
Wow, that's new to me. Thanks. Anyway, I still think that this "password rescue" should not be allowed by default. I know operating systems can do very little to prevent physical problems like side-channel attacks, but this is not the case, and this does not mean that the OS should not make it harder the attacks even if someone have physical access. There's systems, from what I remember (HP servers, I think), that allow remote control based on firmware. One could use this escape "feature" to get your root, without physical access. Same for hosts services. Also, the page 14.21 from faq say "I forgot my passphrase! Sorry. This is real encryption, there's not a back door or magic unlocking tool." why exactly the root should be different? If one lost his passphrase, it's his fault. I thought the philosophy was "secure by default", even if this make the "computer difficult to manage properly".
Re: root access after failed fsck
On 2016-02-20, arrowscr...@mail.comwrote: > Some minutes ago I had a energy blackout here in my city. I was running > OpenBSD. > When I booted after energy came back, the system did the usual fsck. > But this time something went wrong and he just escaped to root, without > asking for any passphrase. > The system did a question like "point the path to sh", and I just typed > "/bin/sh" and he gained access to root. > I think this is a serious security problem folks. I have softraid_crypto, so > no problem for me, but one could (probably) induce this failure to access > root when no FDE configured and he have physical access (or remove, who know > with all these Intel AMT microcodes). http://www.openbsd.org/faq/faq8.html#LostPW Read to the bottom of the question ("wait, that looked too easy"). We should add something about FDE to that question though.
Re: root access after failed fsck
As in all BSD's I know of, edit /etc/ttys (as root) and change console to be insecure (it defaults to "secure"). This way you'll be asked for a password when in single user mode. This is no security issue, it is how single user mode "operates" and it's configurable. George. PS. Be sure you won't forget your root's password :). PS2. Physical access to a box (which is usually implied when running in single user mode) can almost certainly lead to a compromised machine. On 20/02/2016 10:59 πμ, arrowscr...@mail.com wrote: Some minutes ago I had a energy blackout here in my city. I was running OpenBSD. When I booted after energy came back, the system did the usual fsck. But this time something went wrong and he just escaped to root, without asking for any passphrase. The system did a question like "point the path to sh", and I just typed "/bin/sh" and he gained access to root. I think this is a serious security problem folks. I have softraid_crypto, so no problem for me, but one could (probably) induce this failure to access root when no FDE configured and he have physical access (or remove, who know with all these Intel AMT microcodes). The /var/log/ have none logs about it, all I can show is the dmesg (if you need more information, just ask): OpenBSD 5.9-beta (GENERIC.MP) #1864: Mon Jan 25 19:11:29 MST 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 16481857536 (15718MB) avail mem = 15978151936 (15237MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe98e0 (94 entries) bios0: vendor American Megatrends Inc. version "1601" date 11/27/2013 bios0: ASUSTeK COMPUTER INC. P8H61-M LX2 R2.0 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG SSDT BGRT SSDT SSDT DMAR acpi0: wakeup devices P0P1(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PEGP(S4) PEG0(S4) PEG1(S4) PEG2(S4) PEG3(S4) PXSX(S4) RP04(S4) PXSX(S4) RP03(S4) PS2K(S4) PS2M(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, 3200.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, 3200.03 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, 3200.02 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, 3200.02 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 2 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus 1 (PEG0) acpiprt5 at acpi0: bus -1 (PEG1) acpiprt6 at acpi0: bus -1 (PEG2) acpiprt7 at acpi0: bus -1 (PEG3) acpiprt8 at acpi0: bus 5 (RP04) acpiprt9 at acpi0: bus 3 (RP03) acpiprt10 at acpi0: bus 4 (PXSX) acpiec0 at acpi0: not present acpicpu0 at acpi0: C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: FN00, resource for FAN0 acpipwrres1 at acpi0: FN01, resource for FAN1 acpipwrres2 at
root access after failed fsck
Some minutes ago I had a energy blackout here in my city. I was running OpenBSD. When I booted after energy came back, the system did the usual fsck. But this time something went wrong and he just escaped to root, without asking for any passphrase. The system did a question like "point the path to sh", and I just typed "/bin/sh" and he gained access to root. I think this is a serious security problem folks. I have softraid_crypto, so no problem for me, but one could (probably) induce this failure to access root when no FDE configured and he have physical access (or remove, who know with all these Intel AMT microcodes). The /var/log/ have none logs about it, all I can show is the dmesg (if you need more information, just ask): OpenBSD 5.9-beta (GENERIC.MP) #1864: Mon Jan 25 19:11:29 MST 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 16481857536 (15718MB) avail mem = 15978151936 (15237MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe98e0 (94 entries) bios0: vendor American Megatrends Inc. version "1601" date 11/27/2013 bios0: ASUSTeK COMPUTER INC. P8H61-M LX2 R2.0 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG SSDT BGRT SSDT SSDT DMAR acpi0: wakeup devices P0P1(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PEGP(S4) PEG0(S4) PEG1(S4) PEG2(S4) PEG3(S4) PXSX(S4) RP04(S4) PXSX(S4) RP03(S4) PS2K(S4) PS2M(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, 3200.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, 3200.03 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, 3200.02 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz, 3200.02 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 2 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus 1 (PEG0) acpiprt5 at acpi0: bus -1 (PEG1) acpiprt6 at acpi0: bus -1 (PEG2) acpiprt7 at acpi0: bus -1 (PEG3) acpiprt8 at acpi0: bus 5 (RP04) acpiprt9 at acpi0: bus 3 (RP03) acpiprt10 at acpi0: bus 4 (PXSX) acpiec0 at acpi0: not present acpicpu0 at acpi0: C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: FN00, resource for FAN0 acpipwrres1 at acpi0: FN01, resource for FAN1 acpipwrres2 at acpi0: FN02, resource for FAN2 acpipwrres3 at acpi0: FN03, resource for FAN3 acpipwrres4 at acpi0: FN04, resource for FAN4 acpitz0 at acpi0: critical temperature is 106 degC acpitz1 at acpi0: critical temperature is 106 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09 ppb0 at pci0