[Mageia-dev] Handling single user/rescue/failsafe mode

Colin Guthrie mageia at colin.guthr.ie
Thu Apr 26 13:44:22 CEST 2012 

'Twas brillig, and Wolfgang Bornath at 26/04/12 12:05 did gyre and gimble:
> 2012/4/26 Guillaume Rousse <guillomovitch at gmail.com>:
>> Le 26/04/2012 12:12, Thierry Vignaud a écrit :
>>
>>> On 26 April 2012 11:38, Colin Guthrie<mageia at colin.guthr.ie>  wrote:
>>>>
>>>> It seems that in mga1 single user mode just gave a shell without
>>>> requiring root password.
>>>>
>>>> I'm not sure when this was added, but in the initscripts changelog, I
>>>> see it has come from the big mdvconf patch[1].
>>>>
>>>> Can anyone remember the reason for this (perhaps it was related to tcb
>>>> support?) and whether or not we should do the same thing in systemd
>>>> which currently (now that I've fixed it) uses whatever SINGLE says in
>>>> /etc/sysconfig/init.
>>>
>>>
>>> This has been like this forever...
>>> At least for the past decade.
>>> I think other distros do/did it too.
>>
>> Some of them force the use of a password for single mode. Given the ease of
>> bypassing it through init=/bin/sh, unless the bootloader is also protected,
>> I'm a bit sceptic about the interest.
> 
> For ages (Mandrakelinux/Mandriva) it has been
> 
> SINGLE=/sbin/sushell

Yes, but inittab itself just referenced /bin/sh (thus not caring what
SINGLE variable was set to).

> as default. IMHO this default setting is a security issue. Someone
> with access to your machine (in an office or whereever) can simply
> turn it on (or first turn it off with the power button), select
> failsafe from the boot menue and has all the privileges he wants
> without any hurdles to jump. So I've been advocating to change this
> entry in /etc/sysconfig/init.
> 
> I've been also recommending users to change the matching line in
> /etc/inittab accordingly:
> 
> #Single user mode
> ~~:S:wait:/sbin/sulogin
> 
> which does the same. Unfortunately Mandrake/Mandriva developpers did
> not share my view.

As Guillaume pointed out, if they have physical access, you can also
just pass init=/bin/sh to the kernel prompt, so I see little real
security benefit here (it maybe raises the bar slightly, but insecure is
insecure).

Col



-- 

Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

More information about the Mageia-dev mailing list