Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 15
Like Tree3Likes
Hello, there is a tut on how to reset roor pwd from recovery mode: Reset root password (Ubuntu Linux) without CD FAQforge So i want to ask how linux ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux User postcd's Avatar
    Join Date
    Apr 2011
    Posts
    311

    Is linux safe when root pwd can be resetted?


    Hello,

    there is a tut on how to reset roor pwd from recovery mode:
    Reset root password (Ubuntu Linux) without CD FAQforge

    So i want to ask how linux computer can be secure when anyone anytime can reset root password?

    the sensitive data must be manually encrypted, because who gain access to linux hdd can read all data which are not encrypted by app like truecrypt, pgp, openssl?
    "Avoid the Gates of Hell. Use Linux affordable VPS."

  2. #2
    Linux Guru rokytnji's Avatar
    Join Date
    Jul 2008
    Location
    Desert
    Posts
    4,010
    So i want to ask how linux computer can be secure when anyone anytime can reset root password?
    It requires physical access to the computer so if I walk up to you. Beat you down and take your laptop.
    Then you can worry.
    Linux Registered User # 475019
    Lead,Follow, or get the heck out of the way. I Have a Masters in Raising Hell
    Tech Books
    Free Linux Books
    Newbie Guide
    Courses at Home

  3. #3
    Linux Engineer docbop's Avatar
    Join Date
    Nov 2009
    Location
    Woodshed, CA
    Posts
    906
    As they say if anyone has physical access to your computer they pwn you.

    Think of this a hacker break in and reset the root password just to screw with you. Don't you want a way to get back into your own box???

    An SysAdmin hears through the grapevine he's getting fired, he gets pissed and changes root passwd. Again you need a way to change that password.

    As the old security talk goes the only secure server is one turned off. sealed in a safe, and buried six feet under ground, and even then we're not totally sure.

  4. #4
    Linux User sgosnell's Avatar
    Join Date
    Oct 2010
    Location
    Baja Oklahoma
    Posts
    464
    It makes no difference what the OS is, if someone has physical possession of the computer, they can access the HDD. You don't even need to change the root password, just remove the drive and put it into another computer if necessary, but it's easier to boot from an external drive and you then have complete access to all the drives and partitions in the computer. Securely encrypting the drive does help, and that's not a matter of the OS, it's a function of the encryption software, which could run on any OS.

  5. #5
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,459
    All of these posts are correct. Physical access to the computer is all it usually takes. Here is an example.

    My attorney gave me a couple of his old laptops to give to my grandson who is a serious geek (20 years old - designs and builds his own rotary and fixed wing drone aircraft, along with with all the avionics). Both had BIOS's that were locked with a fingerprint that had to be scanned in order to boot. It took him about 10 minutes to disable that "feature" once he had the systems in hand... In 30 minutes, he had a fresh copy of Windows 7 installed on one, and Linux on the other. I was there to witness it.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  6. #6
    Linux User postcd's Avatar
    Join Date
    Apr 2011
    Posts
    311
    So for example mysql data, website data, documents and all which is not encrypted by third party linux software is unsafe if someone gain physical access?
    Meaning there is no way to protect example mysql and website files on webserver from physical theft (protect in software way)?
    No linux full disk encryption which protects running OS server data?
    "Avoid the Gates of Hell. Use Linux affordable VPS."

  7. #7
    Linux User sgosnell's Avatar
    Join Date
    Oct 2010
    Location
    Baja Oklahoma
    Posts
    464
    Yes, you can encrypt the disk. But don't depend on that completely protecting your data if someone has extended physical access to the machine. That is the case with any OS. Full disk encryption is enough for most purposes, but might not suffice for someone with enough resources, such as a government agency. There are several methods of disk encryption with Linux, and you should do some research on them. It's your privacy, and your responsibility to protect it. Do not rely entirely on the advice of strangers on an internet forum.

  8. #8
    Linux Engineer docbop's Avatar
    Join Date
    Nov 2009
    Location
    Woodshed, CA
    Posts
    906
    Quote Originally Posted by postcd View Post
    No linux full disk encryption which protects running OS server data?
    Bottom line, if someone really wants something with physical access and time they will get it. Do some searching on the internet there are articles on the varous methods of defeating disk encryption. Some get complex but are doable. Want to get real scared the NSA and other government agencies had websites showing their research in breaking security. The most far out one I remember is them reconstruction data from broken hard drive platter, by analyzing the magnetic patterns in the platter coating.

    The real balancing act is determing the real value and actractiveness of your data versus the security hoops you're jumping through and would have to go through to recover if one failed. Places have server security systems up the wahzoo and leave the simplest of holes that employess can copy data to. Or my favorite companies that go security crazy, but backup systems are practically non-existant. Or last they have server security, but their website code has more holes than swiss cheese.

  9. #9
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,459
    Real security is hard (some would say NP-hard). Security Theater is not so hard, and that is what most companies practice - leaving real security somewhere out in the garden... It they had a big dog out there, it would be better! I think this one thing would help a lot - a great big banner on your web pages, scrolling across the top of the display - "If you hack into our systems and compromise our, or our customers' data, we WILL find you, and kill you!".

    Credits to Bruce Schneier for inventing the term "Security Theater".
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  10. #10
    Linux Engineer
    Join Date
    Dec 2013
    Posts
    1,084
    Quote Originally Posted by Rubberman View Post
    Real security is hard (some would say NP-hard). Security Theater is not so hard, and that is what most companies practice - leaving real security somewhere out in the garden... It they had a big dog out there, it would be better! I think this one thing would help a lot - a great big banner on your web pages, scrolling across the top of the display - "If you hack into our systems and compromise our, or our customers' data, we WILL find you, and kill you!".

    Credits to Bruce Schneier for inventing the term "Security Theater".
    I suspect said banner would make you a target

    Large companies often have the most at stake but face the biggest challenge. The best crackers have a patience that most of us don't possess and when you consider the number of possible entry points in a large company it is tough.

    One day at a company I worked for I got a call from ops letting me know a platform I'd designed and written had crashed simultaneously with several others. They asked for my help figuring out what happened. The log files made it quite obvious we had been subjected to a full port scan. This was on an internal network! It was easily traced back to a couple of fellows who had been tasked with testing the internal network - they were suppose to be running a simple syn-ack test but in a company of 30,000 the fellows tasked had probably been the least competent possible and they had run the test in full scan mode. Disaster was averted and as far as I know no-one lost their job, I closed a hole in my platform and we added a new anecdote to the usual bag every carries with them.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •