6
5
I have been shown that a FreeBSD system can easily be accessed in single user mode without the root password. Using the passwd command will allow anyone withh physical access to the system to change the password for root. Is there any way to prevent this? Before learning this I was told bsd systems are secure but now i am not so sure.
The BSD Guy
Posted 2009-12-19T23:08:01.880
Reputation: 65
10
You simply need to edit /etc/ttys to prompt for a password in single user mode, although keep in mind anyone with physical access to the machine can still retrieve your data through various methods.
you will find a line that looks like this which is tab delimited in /etc/ttys:
console none unknown off secure
change the secure part to insecure (very confusing, I know) so the line looks like this:
console none unknown off insecure
upon rebooting and entering single user mode, you will be prompted for a password to get to the shell prompt.
This is what the FreeBSD guys have to say about using the word insecure in /etc/ttys:
Note: An insecure console means that you consider your physical security to the console to be insecure, and want to make sure only someone who knows the root password may use single-user mode, and it does not mean that you want to run your console insecurely. Thus, if you want security, choose insecure, not secure.
John T
Posted 2009-12-19T23:08:01.880
Reputation: 149 037
5
Any system that's physically accessable has the potential to be insecure. Even if your installed OS is secure, someone could, in theory use a live disk to edit security settings, reset passwords, or simply get data out.
I suppose you have to disable USB and cd boot and lock the bios to be totally safe. And even then someone could always take th HDD out.
I hope i don't make you too paranoid ;)
Journeyman Geek
Posted 2009-12-19T23:08:01.880
Reputation: 119 122
2
echo 'password=SuperPasswordHere' >> /boot/loader.conf.local
It will force to ask for a password before jumping to single user mode
P.S. Pay attention on FreeBSD-9 if you using this. Someone broke a little bit this, but bug report and fixing solution already reported to GNAT. See it here, PR:170110
how to bring this functionality back on FreeBSD-9 that works for decades.
Without this fix computer will stop booting and will wait for a password
Alex
Posted 2009-12-19T23:08:01.880
Reputation: 5 606
1
Increase physical security.
briealeida
Posted 2009-12-19T23:08:01.880
Reputation: 484
see comment above please – The BSD Guy – 2009-12-20T05:24:48.560
The one you wrote after I answered? Oh, OK. Cool. – briealeida – 2010-01-09T08:23:41.443
1really funny, i'm going favorite this question, so i can have some laughs later on! – alexus – 2009-12-20T04:33:42.970
I dont see whats funny – The BSD Guy – 2009-12-20T05:35:27.253
He likely thinks it's "funny" because anyone with physical access to an unencrypted machine can boot whatever they want and access the raw data of the machine without restrictions. – Chris S – 2014-05-20T15:33:16.920