On Tue, Mar 13, 2007 at 09:07:54AM +0000, Mark Ridley wrote:
On Tue, 13 Mar 2007, ted.harding@nessie.mcc.ac.uk wrote:
but if I so much as go out of line of sight of a machine at many of my clients whilst leaving it logged into a privileged account I would
never be invited back.
Yes, I do appreciate that in a more "public" situation things would need to be arranged differently. In particular, I would not leave root logged in. And I would probaby re-write the "boot" sequence so that no-one (not even the human entity with genuine privileges) could do anything without knowing the root password.
That's almost impoosible to do I think, if someone has physical access to your hardware, you're already in trouble. Password protected bootladers are easily bypassed, and passing certain variables to the kernel at boot time make gaining root a trivial task, not mentioning someone just stealing your disks! :)
Absolutely, any machine to which you have physical access can be 'broken into' within a few minutes. The *only* thing that would protect data to any significant extent would be having an encrypted file system.