On Tue, 13 Mar 2007, ted.harding@nessie.mcc.ac.uk wrote:
On 12-Mar-07 Wayne Stallwood wrote:
On Mon, 2007-03-12 at 16:29 +0000, ted.harding@nessie.mcc.ac.uk wrote:
I've always set things up to boot into the cosole prompt, where I can do a "primitive" login as root (drop back to it with Ctrl-Alt-F1 for scruff-of-the-neck purposes), plus one as ted from which I then "startx &". So by then I'm logged in and my .bashrc, .profile get executed. Plus, I know exactly where I stand!
Well I certainly hope your machines are in a secure area where nobody else can access the console, because it sounds like I could walk up to one of them and stab ctrl-alt-f1 and have root :-)
I guess if we are talking private machines in your house it is not so much of a problem,
Yes, that is exactly my situation; and if I found you (unexpectedly) walking up to one of my machines ... !!!!
but if I so much as go out of line of sight of a machine at many of my clients whilst leaving it logged into a privileged account I would
never be invited back.
Yes, I do appreciate that in a more "public" situation things would need to be arranged differently. In particular, I would not leave root logged in. And I would probaby re-write the "boot" sequence so that no-one (not even the human entity with genuine privileges) could do anything without knowing the root password.
That's almost impoosible to do I think, if someone has physical access to your hardware, you're already in trouble. Password protected bootladers are easily bypassed, and passing certain variables to the kernel at boot time make gaining root a trivial task, not mentioning someone just stealing your disks! :)
Cheers.
-Mark
----------------------------------------------------------- This message may contain confidential and/or privileged information. This information is intended to be read only by the individual or entity to whom it is addressed. If you are not the intended recipient, you are on notice that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete or destroy any copy of this message.