home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.unix.ultrix
- Path: sparky!uunet!haven.umd.edu!decuac!hussar.dco.dec.com!mjr
- From: mjr@hussar.dco.dec.com (Marcus J. Ranum)
- Subject: Re: Decstation Ultrix single-user mode security hole.
- Message-ID: <1992Aug22.185046.4512@decuac.dec.com>
- Keywords: DecStation, Ultrix, Security Hole, Help
- Sender: news@decuac.dec.com (USENET News System)
- Nntp-Posting-Host: hussar.dco.dec.com
- Organization: Digital Equipment Corporation, Washington ULTRIX Resource Center
- References: <ZAPHOD.92Aug22032228@splinter.coe.northeastern.edu>
- Distribution: comp
- Date: Sat, 22 Aug 1992 18:50:46 GMT
- Lines: 30
-
- > On Decstations running Ultrix 4.1-4.2a is there any way to
- >make it so that users can't just hit ^C during the multiuser boot
- >process to break into single-user mode? (and thus get access as root
- >on the machine).
-
- Note that there *are* occasions when you want to be able to
- interrupt autoboot. ;)
-
- One option might be to get a version of init and whack
- its interrupt handlers. I used to have a customized version that would
- call "/bin/su" instead of "/bin/sh" if a single user shell was requested.
- This relies on having a version of "su" that does the right thing if
- your password file is hosed. I tried putting "trap" statements in /etc/rc
- on my workstation here at home (which doesn't run ULTRIX so I can't say
- if it works on ULTRIX) but it didn't work, which kind of surprises
- me.
-
- I don't see sources to init in the net2 tapes, but the 386BSD
- kit appears to have one. Unfortunately, I don't know of an FTP server
- that keeps an unpacked 386BSD source distribution, or playing with it
- might be amusing. Init's a mostly trivial program.
-
- Without physical security, you're always going to have a
- problem. Anyone who thinks otherwise is in a state of sin. Someone
- can very easily walk up to a machine and boot off an external SCSI
- disk, for example...
-
- mjr.
-
-
-
