Fwd: Single user mode

Tue May 15 08:57:21 UTC 2012

On Tue, 2012-05-15 at 01:40 -0700, mahdieh salamat wrote:
> Thanks all,I have an other question.certainly you see this message in
> startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for
> command prompt."
> after see it if press any key you enter to an other mode and if you type
> '?' you can see the lists of commands.I want to remove this mode,It's so
> important that a user can't accss to this mode.

Set autoboot_delay="-1" in /boot/loader.conf.
See /boot/defaults/loader.conf for more information.

> Who can help me?
> Thanks
> 
> 
> 
> ---------- Forwarded message ----------
> From: mahdieh salamat <mahdieh.salamat at gmail.com>
> Date: Mon, May 14, 2012 at 4:29 AM
> Subject: Re: Single user mode
> To: Vahid Shokouhi <vahid at vahid-shokouhi.net>
> 
> 
> I really thank you,it's a really perfect forum,I searched more and more to
> find a persian website about FreeBSD,now i find it.Thank you
> 
> 
> On Mon, May 14, 2012 at 2:33 AM, Vahid Shokouhi <vahid at vahid-shokouhi.net>wrote:
> 
> > You are most welcome.
> >
> > [I don't know if you know this place, assuming you don't know, I let you
> > know] :
> >
> > www.imenpardis.com
> >
> > This site which is actually for "Imen Pardis" company, is owned by
> > Mr.Babak Farrokhi, who is a famous port-maintainer in freeBSD project (The
> > only person in the middle east), and author of a great book on FreeBSD
> > administration. He is a guru in all Unix family: Unix, Solaris, BDS, Linux
> > ; you can google his name and get some info about him. He is a well-known
> > Unix expert in the world.
> > You can join its forum and can ask your question and also help others
> > solve their problem. I don't know all people in the forum, but as
> > Mr.Farrokhi is always supportive and available to answer your question, you
> > can get the right answer from the right person. If I know one word in
> > FreeBSD, he knows thousands..
> >
> > Regards
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 2012-05-14 13:08, mahdieh salamat wrote:
> >
> >> thanks dear vahid,it was so useful for me.I will edit /etc/tty.
> >> Thanks alot
> >>
> >> On Sun, May 13, 2012 at 11:58 PM, Vahid Shokouhi
> >> <vahid at vahid-shokouhi.net [1]> wrote:
> >>
> >>  Hi
> >>>
> >>> Well, there are 2 approaches to any machine security. First, You
> >>> have a fresh machine and it's supposed to be only for you; second,
> >>> you are admin of a machine which others have access to machine for
> >>> their work purpose. Your question seems close to first scenario.
> >>>
> >>> As I wrote before, yes it's possible (by default) that any user
> >>> gain access to your machine resources in single-user mode; so we
> >>> talked about editing /etc/tty. The other place which needs to be
> >>> take caring of, is /ETC/LOGIN.ACCESS ; every time a user wants to
> >>>
> >>> log in, FreeBSD check this files and it's rules. By default there
> >>>
> >> is
> >>
> >>> NO rule defined which means NO restriction to log in. You can
> >>>
> >> config
> >>
> >>> this file in 2 ways : [like switch and router's ACL] ; you can use
> >>> "_permit-based_" rules - in which you first permit specific user(s)
> >>> and then deny others. And you can _"deny-based_" rules - in which
> >>>
> >>> you deny ALL and then permit some one. You should be familiar with
> >>> syntax and format of this file, for example it uses "+" to give
> >>> access and "-" to reject access. For example :
> >>>
> >>>
> >>>
> >>> The following is "permit-based"; it gives "wheel" group console
> >>> access and rejects the others (ALL). note the "+" & "-"
> >>>
> >>> +:WHEEL: CONSOLE
> >>> -:ALL:CONSOLE
> >>>
> >>>
> >>> The following is "deny-based". note the syntax that how "permit" is
> >>> given:
> >>>
> >>> -:ALL EXCEPT WHEEL: CONSOLE [EXCEPT is permit definer]
> >>>
> >>>
> >>>
> >>>
> >>> The second format is more preferred and recommended it is both
> >>> short and somehow more secure.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Anyway, this is for 1st situation that the machine is only yours;
> >>> and you can protect your machine with implying some physical-access
> >>> rules. But in real world you have to deal the second condition.
> >>>
> >> Then
> >>
> >>> you have to focus on many things: limiting users to use any
> >>>
> >> resource
> >>
> >>> by editing /ETC/LOGIN.CONF , the permission of files, the flags,
> >>>
> >>> clearing your machine from unknown/unnecessary users (daemons),
> >>> using jail and so on..
> >>>
> >>>
> >>>
> >>> I hope it is helpful for you and give you some hints on securing.
> >>>
> >>>
> >>>
> >>> If there is any question, please feel free and don't hesitate to
> >>> ask.
> >>>
> >>>
> >>>
> >>> Regards
> >>>
> >>> Vahid Shokouhi
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On 2012-05-14 09:53, mahdieh salamat wrote:
> >>>
> >>>> Thanks for yor help, it was so useful, I want to know that when a
> >>>>
> >>> user
> >>>
> >>>> is using a machine and he/she doesn't has root's password, can
> >>>>
> >>> he/she
> >>>
> >>>> access to it? for example by single user mode or other modes?
> >>>>
> >>>> On Sun, May 13, 2012 at 6:33 AM, Vahid Shokouhi
> >>>> <vahid at vahid-shokouhi.net [4]> wrote:
> >>>>
> >>>>  Hi
> >>>>> Yes, it is possible to gain access via single-user, but
> >>>>> single-user mode is for root user to configure something as he
> >>>>> likes; but if the machine is accessible for others, you need to
> >>>>>
> >>>> edit
> >>>>
> >>>>> "/etc/tty"  to prompt for a password in single user mode,
> >>>>>
> >>>> although
> >>>
> >>>> keep in mind anyone with physical access to the machine can
> >>>>>
> >>>> still
> >>>
> >>>> retrieve your data through various methods.
> >>>>> in /etc/tty note "secure" term which actually has different
> >>>>> meaning. It means that you consider, for example "console" as a
> >>>>> secure mode; so you have to change it to "insecure".
> >>>>> After rebooting and entering single user mode, you will be
> >>>>> prompted for a password to get to the shell prompt.
> >>>>>
> >>>>> On 2012-05-13 17:04, mahdieh salamat wrote:
> >>>>>
> >>>>>  Hi everybody. I have a question about single user mode in
> >>>>>> FreeBSD. Security
> >>>>>> is so important for me. I want to know that if someone don't
> >>>>>> know my root's
> >>>>>> password can access to it? In other words in our FreeBSD we
> >>>>>> don't have
> >>>>>> FreeBSD boot loader menu, we delete it for our users becouse of
> >>>>>> security. I
> >>>>>> want to know is there any other way except boot loader menu for
> >>>>>> our user to
> >>>>>> access to our root's password?
> >>>>>> Thanks
> >>>>>> ______________________________**_________________
> >>>>>> freebsd-security at freebsd.org [1] mailing list
> >>>>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-**security<http://lists.freebsd.org/mailman/listinfo/freebsd-security>[2]
> >>>>>> To unsubscribe, send any mail to
> >>>>>> "freebsd-security-unsubscribe@**freebsd.org<freebsd-security-unsubscribe at freebsd.org>[3]"
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>> Links:
> >>>> ------
> >>>> [1] mailto:freebsd-security@**freebsd.org<freebsd-security at freebsd.org>
> >>>> [2] http://lists.freebsd.org/**mailman/listinfo/freebsd-**security<http://lists.freebsd.org/mailman/listinfo/freebsd-security>
> >>>> [3] mailto:freebsd-security-**unsubscribe at freebsd.org<freebsd-security-unsubscribe at freebsd.org>
> >>>> [4] mailto:vahid at vahid-shokouhi.**net <vahid at vahid-shokouhi.net>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >> Links:
> >> ------
> >> [1] mailto:vahid at vahid-shokouhi.**net <vahid at vahid-shokouhi.net>
> >>
> >
> >
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"