Check root password changes done via single user mode

Valeri Galtsev galtsev at
Tue Mar 3 18:59:32 UTC 2015

On Tue, March 3, 2015 12:08 pm, Polytropon wrote:
> On Tue, 3 Mar 2015 06:02:13 -0800, Mehmet Erol Sanliturk wrote:
>> If any one is in front of the console , he/she may use a boot CD/DVD/USB
>> stick to boot a copy of the operating system , and do whatever wants to
>> do .
> Only if booting from removable media is enabled in the
> BIOS or EFI, and if it's not, a password protection would
> stop the attacker from changing the setting.
> It's not that anything possible couldn't be made impossible
> by a clever trick, still leaving several other possible ways
> of doing it... ;-)
> On the other hand: If physical access has already been
> gained, the attacker could remove the hard disk and use
> it, for example with an USB adapter, with his own equipment
> he brought. Of course it's possible to prevent that attack
> by using non-standard screws, which only works as long as
> the attacker doesn't have the right tools for those screws.

Indeed: first level of security: physical access. Then removing all boot
options except your system drive (can be overridden by opening pox and
putting in "clear CMOS" jumper...). The drive can be removed and mounted
elsewhere (takes yet even longer). Drive encryption helps (but drive
encryption == hassle to be there and type decryption password during
boot)... And all of them will require physical access.

However: if you have a good system integrity watch system (and every time
the file with password hashes changes you maintain a way to verify that it
is not root password hash that has changed in that file), then you should
be more or less confident in your system (or root password). Until you
find the system has rebooted without your command for reboot. That
particular event should call for thorough forensic investigation and
damage assessment; just reboot itself, even if the length between power
off and power on is really short, could still be associated with potential
leak of your sensitive stuff, like password hashes. Or that could be very
small first step, just dropping in some malicious binary which you might
execute at some point later making for them next tiny step toward the
compromise of your machine...

As it was already said: the security of your box has its cost; as every
person has one's cost (again, from bad movies: this cost may be life of
your relative). So, luckily for us, the value of stuff we have on our
boxes doesn't compare to extreme "costs" one can go to to compromise them
(knocking on wood when implying neither of our boxes is compromised ;-)


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

More information about the freebsd-questions mailing list