Re: [Dorset] Setting up machines for others
On 12/02/12 11:09, Peter Merchant wrote: On Sun, 2012-02-12 at 01:30 +, CPK Smithies wrote: Independently and in collaboration with Paul Tyson, I have now set up or assisted in the setup of ten Linux machines for others (eight of whom were converted from M$ (and none of those has complained!)). One security feature in Ubuntu that I'm not too keen on is the disabling of the root account: this is done during the Ubuntu installation process by setting a random and undisclosed root password. This is certainly an improvement on early Ubuntu releases, where the root password was left blank and it was therefore possible to cruise serenely into a root shell by selecting the "recovery console" boot option. Nevertheless, it ignores one very fruitful avenue whereby the inexpert user can trash his system. One of my converts (no names, no pack-drill) decided to change his password. And then he instantly forgot it. He was the only administrative user on the system. I hadn't set the root password. (Luckily, he used his machine only for web access, so a reinstall was not too traumatic.) Now, whenever I install a system for someone else, I set a really unmemorable password for root, I have a problem with unmemorable, so I've started taking this advice http://xkcd.com/936/ G. write it down, give it to them, and instruct them to file the paper copy somewhere inaccessible and never use it unless instructed. Criticisms of this approach are welcome. Regards to all, CPKS Just to expand on this topic, and learn 'best practice', do you create three partitions,(system, Home/data, and backup) and use something like clonezilla to image the system to the backup partition? PM. -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] Setting up machines for others
On Sun, 2012-02-12 at 12:24 +, Ralph Corderoy wrote: > Hi Keith, > > > > Presumably, anything giving access to reboot(2), which reboot(8) > > > doesn't, would do. > > > > Actually, bear in mind that the method I outlined will have only > > /bin/bash running (other than the kernel, etc). The easiest, if > > somewhat dramatic, way out from the keyboard is to type ^D, which will > > crash the system immediately (exercise for reader: why?). So, you may > > as well just hit the power switch... > > Yes, that's my point. This isn't single-user mode where exiting the > shell would continue with a multi-user boot so one's stuck. > Pre-upstart, reboot(8) would use reboot(2) and the kernel would, well, > re-boot, no need to power off. The simple user-space interface to those > system calls has been taken away. > > Cheers, Ralph. > Without trying it, I cannot comment. But I usually use "shutdown now" followed by "halt". PM. -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] Setting up machines for others
On Sun, 2012-02-12 at 11:34 +, Kevin Giles wrote: > Hi folks, > > When setting up a machine for others, I have learnt to write the root > password > on the machine inside the case. Here, non-owning users will never see it but > I know I can always retrieve it. > Cheers, Kev --*** Beautiful. Love it! PM -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] Setting up machines for others
Hi Keith, > > Presumably, anything giving access to reboot(2), which reboot(8) > > doesn't, would do. > > Actually, bear in mind that the method I outlined will have only > /bin/bash running (other than the kernel, etc). The easiest, if > somewhat dramatic, way out from the keyboard is to type ^D, which will > crash the system immediately (exercise for reader: why?). So, you may > as well just hit the power switch... Yes, that's my point. This isn't single-user mode where exiting the shell would continue with a multi-user boot so one's stuck. Pre-upstart, reboot(8) would use reboot(2) and the kernel would, well, re-boot, no need to power off. The simple user-space interface to those system calls has been taken away. Cheers, Ralph. -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] Setting up machines for others
On Sun, 12 Feb 2012 11:58:54 +, ra...@inputplus.co.uk said: > Presumably, anything giving access to reboot(2), which reboot(8) > doesn't, would do. Actually, bear in mind that the method I outlined will have only /bin/bash running (other than the kernel, etc). The easiest, if somewhat dramatic, way out from the keyboard is to type ^D, which will crash the system immediately (exercise for reader: why?). So, you may as well just hit the power switch... -- "You can have everything in life you want if you help enough other people get what they want" - Zig Ziglar. Who did you help today? -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] Setting up machines for others
Hi Keith, > > A re-install isn't necessary AFAICS. Boot from other media > > Even easier (to my mind, at least): > > Boot with 'init=/bin/bash' appended to the kernel line in Grub (you > can edit that grub line when you boot), then: > > # mount -o remount,rw / > # passwd > [usual passwd dialogue to change root password] > # sync Yes, I agree it's easier, as long as one's happy with just a shell and nothing else. (root doesn't need to enter his current password whomever's password he's changing.) > Then reboot. I do find it annoying on Ubuntu that reboot(8) doesn't work without all the upstart infrastructure up and running; one's left with no way out other than power off the PC (mine doesn't have a reset button). Presumably, anything giving access to reboot(2), which reboot(8) doesn't, would do. Cheers, Ralph. -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] Setting up machines for others
Hi folks, > He was the only administrative user on the system. I hadn't set the > root password. (Luckily, he used his machine only for web access, so > a reinstall was not too traumatic.) When setting up a machine for others, I have learnt to write the root password on the machine inside the case. Here, non-owning users will never see it but I know I can always retrieve it. Cheers, Kev -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] Setting up machines for others
On Sun, 2012-02-12 at 01:30 +, CPK Smithies wrote: > Independently and in collaboration with Paul Tyson, I have now set up or > assisted in the setup of ten Linux machines for others (eight of whom > were converted from M$ (and none of those has complained!)). > > One security feature in Ubuntu that I'm not too keen on is the disabling > of the root account: this is done during the Ubuntu installation process > by setting a random and undisclosed root password. This is certainly an > improvement on early Ubuntu releases, where the root password was left > blank and it was therefore possible to cruise serenely into a root shell > by selecting the "recovery console" boot option. Nevertheless, it > ignores one very fruitful avenue whereby the inexpert user can trash his > system. > > One of my converts (no names, no pack-drill) decided to change his > password. And then he instantly forgot it. He was the only > administrative user on the system. I hadn't set the root password. > (Luckily, he used his machine only for web access, so a reinstall was > not too traumatic.) > > Now, whenever I install a system for someone else, I set a really > unmemorable password for root, write it down, give it to them, and > instruct them to file the paper copy somewhere inaccessible and never > use it unless instructed. > > Criticisms of this approach are welcome. > > Regards to all, > > CPKS > Just to expand on this topic, and learn 'best practice', do you create three partitions,(system, Home/data, and backup) and use something like clonezilla to image the system to the backup partition? PM. -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] Setting up machines for others
On Sun, 12 Feb 2012 09:54:26 +, ra...@inputplus.co.uk said: > A re-install isn't necessary AFAICS. Boot from other media Even easier (to my mind, at least): Boot with 'init=/bin/bash' appended to the kernel line in Grub (you can edit that grub line when you boot), then: # mount -o remount,rw / # passwd [usual passwd dialogue to change root password] # sync Then reboot. -- "You can have everything in life you want if you help enough other people get what they want" - Zig Ziglar. Who did you help today? -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] Setting up machines for others
Hi CPKS, > Independently and in collaboration with Paul Tyson, I have now set up > or assisted in the setup of ten Linux machines for others (eight of > whom were converted from M$ (and none of those has complained!)). Well done! Out of interest, what do they get? Unity!? :-) > One of my converts (no names, no pack-drill) decided to change his > password. And then he instantly forgot it. I normally ask if it was "amnesia" at that point. > He was the only administrative user on the system. I hadn't set the > root password. (Luckily, he used his machine only for web access, so > a reinstall was not too traumatic.) A re-install isn't necessary AFAICS. Boot from other media, mount the original filesystem so /etc/shadow is available, replace the crypt(3)ed digest for root with one for which you know the password. sudo egrep '^(root|'$USER'):' /etc/shadow I once used this technique to re-gain access to a Xenix box for a sys. admin. who'd been delivered it to install. Back then, I asked if he had a disk sector editor for DOS and a bootable floppy to put it on. After a bit of hunting he found one, part of Norton I think, and I searched for typical contents of /etc/passwd (pre-shadow(5)), found a few possible sectors and edited each, using the GECOS field to ensure the file remained the same length. Cheers, Ralph. -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
[Dorset] Setting up machines for others
Independently and in collaboration with Paul Tyson, I have now set up or assisted in the setup of ten Linux machines for others (eight of whom were converted from M$ (and none of those has complained!)). One security feature in Ubuntu that I'm not too keen on is the disabling of the root account: this is done during the Ubuntu installation process by setting a random and undisclosed root password. This is certainly an improvement on early Ubuntu releases, where the root password was left blank and it was therefore possible to cruise serenely into a root shell by selecting the "recovery console" boot option. Nevertheless, it ignores one very fruitful avenue whereby the inexpert user can trash his system. One of my converts (no names, no pack-drill) decided to change his password. And then he instantly forgot it. He was the only administrative user on the system. I hadn't set the root password. (Luckily, he used his machine only for web access, so a reinstall was not too traumatic.) Now, whenever I install a system for someone else, I set a really unmemorable password for root, write it down, give it to them, and instruct them to file the paper copy somewhere inaccessible and never use it unless instructed. Criticisms of this approach are welcome. Regards to all, CPKS -- Next meeting: Bournemouth, Tuesday 2012-03-06 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread on mailing list: mailto:dorset@mailman.lug.org.uk How to Report Bugs Effectively: http://goo.gl/4Xue
