Sthu Deus (sthu.d...@gmail.com on 2011-12-03 17:53 +0700): > >[..] A standard Debian config > >should not offer a passwordless root shell unless you explicitly ask > >for it, > > Oh, no! I didn't! :) > > Do You have an idea where to look for that? - I have no ideas, > absolutely.
Just as a pointer, you can get a passwordless root shell by: - interrupting initramfs: specify break=init on the kernel command line - overriding init: specify init=/bin/bash on the kernel command line - configuring inittab: either add a bootwait line spawning /bin/*sh or tell getty to bypass login with -l /bin/*sh - setting SULOGIN=yes in /etc/default/rcS, and either a) locking the root account (passwd -l root), which will give you "sulogin: root account is locked, starting shell" b) deleting root's password (passwd -d root), which will give you "Press enter for maintenance(or type Control-D to continue)" All four methods above will give you an unconditional root shell. Since yours only spawns on error, none of the above applies. > > On other hand, if we pursue this idea - that physical access makes a > host absolutely undefended, - we can let root account to be > password-less - for why worrying? Setting a root password will still protect you from remote users that have access to login programs (such as su). Locking the root account reduces the attack surface to your sudoers configuration. Regards, Arno -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111203150013.1fa5b...@neminis.intra.loos.site