A Mockery of Linux Security?

[RyanB88]

I am an 18 year old college student who has never, until the beginning of this quarter, used linux. A few weeks into the qarter now, I have found a way, without use of any disks, to reset the root password without knowing it on SLES9.

So my question is, if its so easy to do this, why is linux said to be "secure"?

[oz]

There are a number of different ways to reset the root password under Linux. Here's a HowTo with a couple of ways to do it:

http://www.linuxforums.org/forum/lin...-password.html

Maybe your way is similar to one of these methods.

Regarding security, anytime you give access of a machine to another, security is at risk regardless of the OS.

[devils casper]

if you implement good security measures, its impossible to crack linux machine remotely. if you allow physical access to any machine having any OS, cracking is easy.






Casper

[ZakaqerE]

I am an 18 year old college student who has never, until the beginning of this quarter, used linux. A few weeks into the qarter now, I have found a way, without use of any disks, to reset the root password without knowing it on SLES9.

So my question is, if its so easy to do this, why is linux said to be "secure"?

He who has physical access to the machine OWNS the machine...
I can't remember who said that but it is true. If you can touch the machine, the OS that it is running is irrelevant because you can just boot into another OS. If you really want to keep someone from getting at your data, encrypt it. Becoming the superuser does not give one the encryption keys. Nor does it give you the computing power needed to brute-force. Linux is more secure because there are much less holes in the OS. Like buffer overflows.

[likwid]

It is not true that just because you have physical access you own it- if security measures aren't taken maybe this is true... at NEU when I tried to pwn the sun boxes with the OBP forth interpreter, the stop+a keystroke wouldn't work. It was disabled. Other things like automount and allowing users to mount can be disabled. BIOS passwords can be put in place so that boot order cannot be changed. You can use RSBAC or SeLinux. Owning a box is only easy if it hasn't been locked down really.

[fingal]

Hi - read this.

[genesus]

BIOS passwords can be put in place so that boot order cannot be changed...

I wouldn't use bios passwords as an example of security, mere physical access cancels its effectiveness. Manually reset the bios, change the booting order, use a live cd, wipe the partition table of the hdd-->brand new box.

[easuter]

Ha!
It doesn't really matter if its linux or windows or any other operating system.
When phisical access is obtained toa system by a malicious user, then it must be considered compromised.

How about you try this:

Encrypt the hard-drive (loop-back device for entire drive encryption) and then try resetting the root password...

Try doing that to both Linux and windows (with windows you will probably need EFS), and your "security" problems should disapear.

Implementing proper user accounts is essential to good security, but is really most effective over networks.

If you really wish to have an "unhackable" box (be it windows or linux/unix), then burry your computer 100 meters under ground in a reenforced concrete bunker.

[likwid]

IDK what kind of data centres or labs you've been in, but I think you might draw some attention to yourself as you are taking the NFS server out of a rack and opening up the case... or in the lab as everyone is doing their homework, you bust out a screwdriver and start going to town on one of the workstations. It's not realistic. A BIOS password will stop most anybody from booting to anything other than what is intended, unless it's the box you use to watch porn and listen to mp3's in your bedroom. In which case, who cares.

[easuter]

IDK what kind of data centres or labs you've been in, but I think you might draw some attention to yourself as you are taking the NFS server out of a rack and opening up the case... or in the lab as everyone is doing their homework, you bust out a screwdriver and start going to town on one of the workstations.

Perfect example!
Not to mention, many publicly accessable computers are sometimes thin-clients, and don't even have their own tower: its another great way to have a box lockup up somewhere, and be able to let it be used without people having FULL access to it.