--begin quoted message from Sean 'Shaleh' Perry, > > > > Wow, I kind of knew there were ways to gain root access or even find out > > the root password quite easily, but that's really really easy... > > > > On every standard Debian install, anybody can gain the root password > > within minutes (given the attacker has phyiscal access to the box): > > > > (warning this is a fairly direct email and is not intended as a flame, rather > it is trying to be blunt and carry a point) > > The answer is -- if they can touch your machine you have lost. *PERIOD*. End > of discussion. This has been hammered to death on more lists than I can > remember. > > Even if lilo is secured you still have booting media, case hacking, etc. Just > put the whole thing in a cage and make it so they can not reboot. Otherwise > you are wasting your time.
It's not just a matter of possibility, it's also a matter of how much time it takes and how obvious it is. If you: 1> password protect Lilo or disable lilo prompt (if you're only using one boot image) 2> disallow ALL boot media (including cdrom). 3> password protect your BIOS 4> lock your case shut you've gone from allowing someone to take over your system by putting in a floppy and hitting reset (or unplugging) to makeing them break there way into they physical computer, or take the computer with them. Both of which are much more obvious. Of course, unplugging the thing's always possible if you allow access to the box, but that's easily corrected and "just" DoS, with no other security implications (you know the files are still secure, etc). just my 2c. (maybe 3c, sorry) -- Noah Massey | fingerprint : 90AD 7AAB 0768 46AF 8C52 0695 03A2 C74D E1ED C2BF Old jazz fans never die they just turn to soul. Attached is a digital signature which can be used to authenticate this email. For details consult www.gnupg.org or www.pgpi.org
pgpRp3gl6gL39.pgp
Description: PGP signature
