On 11/26/05, Fredrik <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > > On Fri, Nov 25, 2005 at 01:33:34PM +0200, Maxim Vexler wrote: > > > >>On 11/25/05, Robert Brockway <[EMAIL PROTECTED]> wrote: > >> > >>>Anyone wanting to lock the root account (not a good idea IMHO) should have > >>>a root enabled session (sudo, su or whatever) put to the side and not > >>>touched during the procedure. This session would be used only to reverse > >>>the procedure if it was found that establishing superuser privs was no > >>>longer possible in new sessions. > >> > >>In the worst case, couldn't someone just boot from a livecd, run > >>[passwd root], then [cat /etc/shadow | grep root] on the livecd and > >>finally simply copying that entry into the locked out system shadow > >>file ? > > > > > > That's doing it the hard way. Just pass "init=/bin/sh rw" to the kernel > > with your bootloader, and do: > > # passwd root > > # mount -o ro,remount / && reboot > > > > If your bootloader has a password and you've lost that, you can use a > > boot disk, but you still shouldn't muck around with the passwd & shadow > > files directly, probably ever. Just mount the root filesystem and > > chroot /mnt passwd (or visudo) as root. > > > > > Well, to hack a PC with physical access is easy. > That is why i'm krypted my hd with blowfish-256. > > It will take thousands of years to hack :-) >
And would render data recovery in case of HD failure impossible. I really don't think that for a regular home user block level hd encryption is a good idea. That is unless you maintain a strict backup policy and use a raid1 / 5 / 10 data duplication storage OR you really do have something to hide ;) -- Cheers, Maxim Vexler (hq4ever). Do u GNU ?
