Check root password changes done via single user mode

Polytropon freebsd at
Tue Mar 3 12:51:25 UTC 2015

On Tue, 03 Mar 2015 10:20:25 +0100, Ricardo Martín wrote:
> Indeed, that would be a way of checking the password change, but I was
> more interested in whether such a change could be flagged as being
> carried out from single user mode.
> Or in another words whether the root's passwords has been reset
> accessing the machine during the boot process.

It could be possible to monitor root's actions in SUM. To
change the root passwort required the / partition being
mounted r/w. In this case, it's possible that the (memory
buffered) shell history is also written to the history file,
leaving an evidence. Of course it's no big deal to _remove_
such evidence. You could try to "hide" additional means of
logging in the (limited) SUM boot process, but I don't
think such a mechanism is already implemented by default...

The problem with SUM is that is is _by intention_ a very
limited environment, and still a very powerful environment.
That's why you can secure this mode with a password as well,
to "seal" the _real_ power of root. :-)

Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list