On Wed, 2006-06-21 at 14:23 -0300, JoC#o Salvatti wrote:
Let's suppose an attacker entered the room where an OpenBSD server is
located in, and by mistake the system administrator has forgotten to
logout the root login session. So the attacker could enter in single
user mode, without the need
. Honorio Pueyrredon 1694
Tel: (05411)-4586-0134 Fax:(05411)-4585-7550
- Original Message -
From: Shawn K. Quinn [EMAIL PROTECTED]
To: misc@openbsd.org
Sent: Sunday, June 25, 2006 8:58 PM
Subject: Re: Doubts about OpenBSD security.
On Wed, 2006-06-21 at 14:23 -0300, JoC#o Salvatti wrote
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi there,
Joco Salvatti wrote:
1. Why doesn't passwd ask superuser's current password when it's run
by the superuser to change its own password? May not it be considered
a serious security flaw?
No. If you are already root, you could add easily
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Don Boling wrote:
Wouldn't this be the main reason to use sudo?
Not at all.
If your box is not physically secure, even sudo wouldn't prevent an
attacker of joking around with your server...
Use sudo anyways, but keep your servers physically
On 21/06/06, Joco Salvatti [EMAIL PROTECTED] wrote:
So the attacker could enter in single
user mode, without the need for the root password, and load a
malicious kernel module.
The attacker cannot load a malicious kernel module on OpenBSD, because
OpenBSD specifically does not support loadable
On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote:
On 21/06/06, Joco Salvatti [EMAIL PROTECTED] wrote:
So the attacker could enter in single
user mode, without the need for the root password, and load a
malicious kernel module.
The attacker cannot load a malicious
On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote:
On 21/06/06, Joco Salvatti [EMAIL PROTECTED] wrote:
So the attacker could enter in single
user mode, without the need for the root password, and load a
malicious kernel module.
The attacker cannot load a malicious
2006/6/21, Joco Salvatti [EMAIL PROTECTED]:
Let's suppose an attacker entered the room where an OpenBSD server is
located in, and by mistake the system administrator has forgotten to
logout the root login session.
http://www.darkwing.com/idled/
So the attacker could enter in single
user
On 22/06/06, Ryan McBride [EMAIL PROTECTED] wrote:
On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote:
On 21/06/06, Joco Salvatti [EMAIL PROTECTED] wrote:
So the attacker could enter in single
user mode, without the need for the root password, and load a
malicious kernel
On 6/22/06, Constantine A. Murenin [EMAIL PROTECTED] wrote:
Oops. :) I guess I misunderstood
http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems
where Kernel type refers solely to the provided kernel of the OS
itself, not of the OS features that may be (ab)used by some
On 22/06/06, Ted Unangst [EMAIL PROTECTED] wrote:
On 6/22/06, Constantine A. Murenin [EMAIL PROTECTED] wrote:
Oops. :) I guess I misunderstood
http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems
where Kernel type refers solely to the provided kernel of the OS
itself, not
On 6/22/06, Constantine A. Murenin [EMAIL PROTECTED] wrote:
On 22/06/06, Ted Unangst [EMAIL PROTECTED] wrote:
On 6/22/06, Constantine A. Murenin [EMAIL PROTECTED] wrote:
Oops. :) I guess I misunderstood
http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems
where Kernel
My doubts may seem fool, so thanks in advance for those who will read
this e-mail and may help me with my doubts.
1. Why doesn't passwd ask superuser's current password when it's run
by the superuser to change its own password? May not it be considered
a serious security flaw?
2. Why doesn't
My doubts may seem fool, so thanks in advance for those who will read
this e-mail and may help me with my doubts.
1. Why doesn't passwd ask superuser's current password when it's run
by the superuser to change its own password? May not it be considered
a serious security flaw?
Oh come on.
Joco Salvatti [EMAIL PROTECTED] wrote:
1. Why doesn't passwd ask superuser's current password when it's run
by the superuser to change its own password? May not it be considered
a serious security flaw?
No, it may not. Why would that matter at all?
2. Why doesn't the system ask the
Joco Salvatti wrote:
Let's suppose an attacker entered the room where an OpenBSD server is
located in, and by mistake the system administrator has forgotten to
logout the root login session. So the attacker could enter in single
user mode, without the need for the root password, and load a
On 6/21/06, Joco Salvatti [EMAIL PROTECTED] wrote:
Let's suppose an attacker entered the room where an OpenBSD server is
why didn't you lock the door?
located in, and by mistake the system administrator has forgotten to
logout the root login session. So the attacker could enter in single
On Wed, Jun 21, 2006 at 02:23:20PM -0300, Joco Salvatti wrote:
My doubts may seem fool, so thanks in advance for those who will read
this e-mail and may help me with my doubts.
1. Why doesn't passwd ask superuser's current password when it's run
by the superuser to change its own password?
] On Behalf Of Joco Salvatti
Sent: Wednesday, June 21, 2006 1:23 PM
To: Misc OpenBSD
Subject: Doubts about OpenBSD security.
My doubts may seem fool, so thanks in advance for those who will read
this e-mail and may help me with my doubts.
1. Why doesn't passwd ask superuser's current password when
* Joco Salvatti [EMAIL PROTECTED] [2006-06-21 11:38]:
My doubts may seem fool, so thanks in advance for those who will read
this e-mail and may help me with my doubts.
1. Why doesn't passwd ask superuser's current password when it's run
by the superuser to change its own password? May not it
That's why I always hardware hack my servers with a fragmentation
grenade. And, for good measure, anti-personnel mines underneath the
raised flooring.
On 6/21/06, Dries Schellekens [EMAIL PROTECTED] wrote:
Nonce someone has physical access, all is lost with current hardware.
--
Try to do
Joco Salvatti [EMAIL PROTECTED] wrote:
Let's suppose an attacker entered the
room where an OpenBSD server is
located in,
Most would argue that at this point you've already lost the security game.
So the attacker could enter in single
user mode, without the need for the root
password,
He
On 6/21/06, Gabriel Puliatti [EMAIL PROTECTED] wrote:
On 6/21/06, Theo de Raadt [EMAIL PROTECTED] wrote:
My doubts may seem fool, so thanks in advance for those who will read
this e-mail and may help me with my doubts.
1. Why doesn't passwd ask superuser's current password when it's run
Joco Salvatti wrote:
My doubts may seem fool, so thanks in advance for those who will read
this e-mail and may help me with my doubts.
1. Why doesn't passwd ask superuser's current password when it's run
by the superuser to change its own password? May not it be considered
a serious security
To: Misc OpenBSD
Subject: Doubts about OpenBSD security.
My doubts may seem fool, so thanks in advance for those who will read
this e-mail and may help me with my doubts.
1. Why doesn't passwd ask superuser's current password when it's run
by the superuser to change its own password? May
in particular...
Peter L.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Joco Salvatti
Sent: Wednesday, June 21, 2006 1:23 PM
To: Misc OpenBSD
Subject: Doubts about OpenBSD security.
My doubts may seem fool, so thanks in advance
Quoting Jared Solomon [EMAIL PROTECTED]:
That's why I always hardware hack my servers with a fragmentation
grenade. And, for good measure, anti-personnel mines underneath the
raised flooring.
I prefer to have the doors automatically locked and then have the halon
deployed.
Much cleaner. ;
On Wed, Jun 21, 2006 at 11:54:37AM -0600, Bob Beck wrote:
IMNSHO, a root password for single user makes the system *LESS*
secure, and I'm dead serious. I would object to any attempt to commit
changes to OpenBSD to have one by default. Why? Real simple: *because
you asked this
Bob Beck wrote:
...
IMNSHO, a root password for single user makes the system *LESS*
secure, and I'm dead serious. I would object to any attempt to commit
changes to OpenBSD to have one by default. Why? Real simple: *because
you asked this question*. - Now I'm not just crapping on you,
Nick Holland wrote:
Bob Beck wrote:
...
IMNSHO, a root password for single user makes the system *LESS*
secure, and I'm dead serious. I would object to any attempt to commit
changes to OpenBSD to have one by default. Why? Real simple: *because
you asked this question*. - Now I'm
30 matches
Mail list logo