Re: Doubts about OpenBSD security.

On Wed, 2006-06-21 at 14:23 -0300, JoC#o Salvatti wrote: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need

Re: Doubts about OpenBSD security.

. Honorio Pueyrredon 1694 Tel: (05411)-4586-0134 Fax:(05411)-4585-7550 - Original Message - From: Shawn K. Quinn [EMAIL PROTECTED] To: misc@openbsd.org Sent: Sunday, June 25, 2006 8:58 PM Subject: Re: Doubts about OpenBSD security. On Wed, 2006-06-21 at 14:23 -0300, JoC#o Salvatti wrote

Re: Doubts about OpenBSD security.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, Joco Salvatti wrote: 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? No. If you are already root, you could add easily

Re: Doubts about OpenBSD security.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Boling wrote: Wouldn't this be the main reason to use sudo? Not at all. If your box is not physically secure, even sudo wouldn't prevent an attacker of joking around with your server... Use sudo anyways, but keep your servers physically

Re: Doubts about OpenBSD security.

On 21/06/06, Joco Salvatti [EMAIL PROTECTED] wrote: So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. The attacker cannot load a malicious kernel module on OpenBSD, because OpenBSD specifically does not support loadable

Re: Doubts about OpenBSD security.

On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote: On 21/06/06, Joco Salvatti [EMAIL PROTECTED] wrote: So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. The attacker cannot load a malicious

Re: Doubts about OpenBSD security.

On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote: On 21/06/06, Joco Salvatti [EMAIL PROTECTED] wrote: So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. The attacker cannot load a malicious

Re: Doubts about OpenBSD security.

2006/6/21, Joco Salvatti [EMAIL PROTECTED]: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. http://www.darkwing.com/idled/ So the attacker could enter in single user

Re: Doubts about OpenBSD security.

On 22/06/06, Ryan McBride [EMAIL PROTECTED] wrote: On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote: On 21/06/06, Joco Salvatti [EMAIL PROTECTED] wrote: So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel

Re: Doubts about OpenBSD security.

On 6/22/06, Constantine A. Murenin [EMAIL PROTECTED] wrote: Oops. :) I guess I misunderstood http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems where Kernel type refers solely to the provided kernel of the OS itself, not of the OS features that may be (ab)used by some

Re: Doubts about OpenBSD security.

On 22/06/06, Ted Unangst [EMAIL PROTECTED] wrote: On 6/22/06, Constantine A. Murenin [EMAIL PROTECTED] wrote: Oops. :) I guess I misunderstood http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems where Kernel type refers solely to the provided kernel of the OS itself, not

Re: Doubts about OpenBSD security.

On 6/22/06, Constantine A. Murenin [EMAIL PROTECTED] wrote: On 22/06/06, Ted Unangst [EMAIL PROTECTED] wrote: On 6/22/06, Constantine A. Murenin [EMAIL PROTECTED] wrote: Oops. :) I guess I misunderstood http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems where Kernel

Doubts about OpenBSD security.

My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? 2. Why doesn't

Re: Doubts about OpenBSD security.

My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? Oh come on.

Re: Doubts about OpenBSD security.

Joco Salvatti [EMAIL PROTECTED] wrote: 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? No, it may not. Why would that matter at all? 2. Why doesn't the system ask the

Re: Doubts about OpenBSD security.

Joco Salvatti wrote: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a

Re: Doubts about OpenBSD security.

On 6/21/06, Joco Salvatti [EMAIL PROTECTED] wrote: Let's suppose an attacker entered the room where an OpenBSD server is why didn't you lock the door? located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single

Re: Doubts about OpenBSD security.

On Wed, Jun 21, 2006 at 02:23:20PM -0300, Joco Salvatti wrote: My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password?

Re: Doubts about OpenBSD security.

] On Behalf Of Joco Salvatti Sent: Wednesday, June 21, 2006 1:23 PM To: Misc OpenBSD Subject: Doubts about OpenBSD security. My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when

Re: Doubts about OpenBSD security.

* Joco Salvatti [EMAIL PROTECTED] [2006-06-21 11:38]: My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it

Re: Doubts about OpenBSD security.

That's why I always hardware hack my servers with a fragmentation grenade. And, for good measure, anti-personnel mines underneath the raised flooring. On 6/21/06, Dries Schellekens [EMAIL PROTECTED] wrote: Nonce someone has physical access, all is lost with current hardware. -- Try to do

Re: Doubts about OpenBSD security.

Joco Salvatti [EMAIL PROTECTED] wrote: Let's suppose an attacker entered the room where an OpenBSD server is located in, Most would argue that at this point you've already lost the security game. So the attacker could enter in single user mode, without the need for the root password, He

Re: Doubts about OpenBSD security.

On 6/21/06, Gabriel Puliatti [EMAIL PROTECTED] wrote: On 6/21/06, Theo de Raadt [EMAIL PROTECTED] wrote: My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run

Re: Doubts about OpenBSD security.

Joco Salvatti wrote: My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security

Re: Doubts about OpenBSD security.

To: Misc OpenBSD Subject: Doubts about OpenBSD security. My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May

Re: Doubts about OpenBSD security.

in particular... Peter L. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joco Salvatti Sent: Wednesday, June 21, 2006 1:23 PM To: Misc OpenBSD Subject: Doubts about OpenBSD security. My doubts may seem fool, so thanks in advance

Re: Doubts about OpenBSD security.

Quoting Jared Solomon [EMAIL PROTECTED]: That's why I always hardware hack my servers with a fragmentation grenade. And, for good measure, anti-personnel mines underneath the raised flooring. I prefer to have the doors automatically locked and then have the halon deployed. Much cleaner. ;

Re: Doubts about OpenBSD security.

On Wed, Jun 21, 2006 at 11:54:37AM -0600, Bob Beck wrote: IMNSHO, a root password for single user makes the system *LESS* secure, and I'm dead serious. I would object to any attempt to commit changes to OpenBSD to have one by default. Why? Real simple: *because you asked this

Re: Doubts about OpenBSD security.

Bob Beck wrote: ... IMNSHO, a root password for single user makes the system *LESS* secure, and I'm dead serious. I would object to any attempt to commit changes to OpenBSD to have one by default. Why? Real simple: *because you asked this question*. - Now I'm not just crapping on you,

Re: Doubts about OpenBSD security.

Nick Holland wrote: Bob Beck wrote: ... IMNSHO, a root password for single user makes the system *LESS* secure, and I'm dead serious. I would object to any attempt to commit changes to OpenBSD to have one by default. Why? Real simple: *because you asked this question*. - Now I'm