2006/6/21, Joco Salvatti <[EMAIL PROTECTED]>:
Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session.
http://www.darkwing.com/idled/
So the attacker could enter in single user mode, without the need for the root password,
/etc/ttys: - console "/usr/libexec/getty Pc" vt220 off secure + console "/usr/libexec/getty Pc" vt220 off insecure
I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode.
create a new user "admin", with same uid/gid of root. change root shell to /sbin/nologin "root" will login only from single user with a password in normal administration you can `su - admin' with a different password from root. and, about load kernel modules: securelevel(7) -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
