On Wed, 2006-06-21 at 14:23 -0300, JoC#o Salvatti wrote: > Let's suppose an attacker entered the room where an OpenBSD server is > located in, and by mistake the system administrator has forgotten to > logout the root login session. So the attacker could enter in single > user mode, without the need for the root password, and load a > malicious kernel module. He also could do millions of other things, > but changing root's password, because the system administrator would > notice it immediatelly.
There isn't much to be done at the operating system level to compensate for a lack of physical security. Asking for the password when it's already circumvented is futile. > I believe it could be more difficult for the attacker if there were a > different password to log in the system in single user mode. It would just be annoying for untold numbers of OpenBSD sysadmins across the planet, and would not fulfill any real security goal. -- Shawn K. Quinn
