Security question


Forum: HD Install
Topic: Security question
started by: john.martzouco

Posted by john.martzouco on Dec. 15 2007,18:36
I've installed 4.1 (traditional HD) with multi-user support and created accounts for several users.

Normal bootup is fine, after GRUB runs the default DSL entry, I'm asked for my credentials and I boot in as a user.

I've seen an issue when booting up after I've had to force the machine off.  If I power down the machine without exiting from Xwindows or DSL, the next time I boot up, the system performs an fsck, fixes or deletes some inodes and then logs in automatically as the 'dsl' user - su(pam_unix)[56]:...  From that login, I can navigate to any place on the file system.

My question is: Is this what I should expect from all Linux distributions or is it something that needs attention because of the addition of multi-user support recently in DSL?

Posted by curaga on Dec. 15 2007,18:47
No, that's not something expected or wanted. Multi-user support has been in a long time though, but I guess no-one has thought of that..

A question: Is the prompt "Repair> "?

Posted by roberts on Dec. 15 2007,19:03
Multi-user has been in place for a very long time, and it is driven by /etc/inittab.

Booting liveCD or frugal with different (multi-users) specified by the user=name option is something new.

If yours is the second newer method then edit default grub menu to eliminate any non user= options.

If yours in first, then it seems odds that somehow iniitab would "corrupt" back to the original no login.

fsck'ing would be running as root and control given to user dsl would be via iniitab.

However, any machine that can boot from cdrom, usb, floppy, etc, and someone has physical access can always choose to boot many OS, not just Linux, and gain full control of your machine.

Posted by john.martzouco on Dec. 15 2007,19:26
Quote (curaga @ Dec. 15 2007,13:47)
A question: Is the prompt "Repair> "?

No, the prompt is "dsl@console[dsl]$"
Posted by john.martzouco on Dec. 15 2007,19:43
[quote=roberts,Dec. 15 2007,14:03][/quote]
Thanks Robert,

Quote
If yours is the second newer method then edit default grub menu to eliminate any non user= options.


I am using a traditional HD install.

The GRUB entry that I'm using reads:  kernel /boot/linux24 root=/dev/hda2 quiet vga=normal acpi=off apm nodma noscsi frugal

It's the default entry that was given when I installed GRUB, except that I modified the acpi and apm options.

Is there another way that I can turn off acpi and turn on apm so that I can remove all the options?

Quote
However, any machine that can boot from cdrom, usb, floppy, etc, and someone has physical access can always choose to boot many OS, not just Linux, and gain full control of your machine.


Okay, I understand that.  I'm not trying to bullet-proof the machine, but I would like to control the installed OS so that it doesn't open any doors like this.

Quote
Multi-user has been in place for a very long time, and it is driven by /etc/inittab.


If anyone can help me understand what changes I need to make, I'd be grateful.

Posted by curaga on Dec. 15 2007,20:01
I forgot; I knew what caused this, but forgot to say.

It's handled in /etc/init.d/{checkfs,checkroot}.sh. They both have lines that autologin after fsck with errors, for system repairing. If you comment that one line in both of them, your system will ask for login even with fsck errors.

PS: replace nodma with dma, you'll get about 3x speed

Posted by john.martzouco on Dec. 15 2007,20:14
Thanks Curaga, I'm going to try that now.
Posted by john.martzouco on Dec. 15 2007,20:35
I think the init.d changes did the trick with the login.  If the first run is indicative of what will always happens, it's very, very nice.

Changing to DMA... I don't know why, but it caused my wifi card to connect to the neighbor's WAP so I'm going to leave it at nodma for now.  Having some small issues with WPA and will try again when I get past that.

Much thanks.

Posted by roberts on Dec. 15 2007,20:39
Both of those scripts given an option or warning that it is dropping to a shell to allow manually repairing fsck errors, in which the standard fsck options were not able to repair. This is standard operating procedure. This sort of failure should not normally be encountered and is not as you suggested from a recent change.

Quote
My question is: Is this what I should expect from all Linux distributions or is it something that needs attention because of the addition of multi-user support recently in DSL?

Posted by john.martzouco on Dec. 15 2007,21:03
Sorry, I wasn't insinuating anything.  I just wanted to understand.  My apologoes if my wording offended.  I'm trying very hard not to hurt anyone's feelings.
Posted by curaga on Dec. 15 2007,21:22
Well, the "usual" procedure is to ask for root password at that point.. Which DSL doesn't have by default.
Powered by Ikonboard 3.1.2a
Ikonboard © 2001 Jarvis Entertainment Group, Inc.