Re: Doubts about OpenBSD security.

. Honorio Pueyrredon 1694 Tel: (05411)-4586-0134 Fax:(05411)-4585-7550 - Original Message - From: "Shawn K. Quinn" <[EMAIL PROTECTED]> To: Sent: Sunday, June 25, 2006 8:58 PM Subject: Re: Doubts about OpenBSD security. On Wed, 2006-06-21 at 14:23 -0300, JoC#o Salvatti wrote:

Re: Doubts about OpenBSD security.

On Wed, 2006-06-21 at 14:23 -0300, JoC#o Salvatti wrote: > Let's suppose an attacker entered the room where an OpenBSD server is > located in, and by mistake the system administrator has forgotten to > logout the root login session. So the attacker could enter in single > user mode, without the nee

Re: Doubts about OpenBSD security.

On 6/22/06, Constantine A. Murenin <[EMAIL PROTECTED]> wrote: On 22/06/06, Ted Unangst <[EMAIL PROTECTED]> wrote: > On 6/22/06, Constantine A. Murenin <[EMAIL PROTECTED]> wrote: > > Oops. :) I guess I misunderstood > > http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems > > w

Re: Doubts about OpenBSD security.

On 22/06/06, Ted Unangst <[EMAIL PROTECTED]> wrote: On 6/22/06, Constantine A. Murenin <[EMAIL PROTECTED]> wrote: > Oops. :) I guess I misunderstood > http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems > where "Kernel type" refers solely to the provided kernel of the OS > it

Re: Doubts about OpenBSD security.

On 6/22/06, Constantine A. Murenin <[EMAIL PROTECTED]> wrote: Oops. :) I guess I misunderstood http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems where "Kernel type" refers solely to the provided kernel of the OS itself, not of the OS features that may be (ab)used by some th

Re: Doubts about OpenBSD security.

On 22/06/06, Ryan McBride <[EMAIL PROTECTED]> wrote: On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote: > On 21/06/06, Joco Salvatti <[EMAIL PROTECTED]> wrote: > >So the attacker could enter in single > >user mode, without the need for the root password, and load a > >malicio

Re: Doubts about OpenBSD security.

2006/6/21, Joco Salvatti <[EMAIL PROTECTED]>: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. http://www.darkwing.com/idled/ So the attacker could enter in single user mo

Re: Doubts about OpenBSD security.

On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote: > On 21/06/06, Joco Salvatti <[EMAIL PROTECTED]> wrote: > >So the attacker could enter in single > >user mode, without the need for the root password, and load a > >malicious kernel module. > > The attacker cannot load a malic

Re: Doubts about OpenBSD security.

On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote: > On 21/06/06, Joco Salvatti <[EMAIL PROTECTED]> wrote: > >So the attacker could enter in single > >user mode, without the need for the root password, and load a > >malicious kernel module. > > The attacker cannot load a malic

Re: Doubts about OpenBSD security.

On 21/06/06, Joco Salvatti <[EMAIL PROTECTED]> wrote: So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. The attacker cannot load a malicious kernel module on OpenBSD, because OpenBSD specifically does not support loadabl

Re: Doubts about OpenBSD security.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Boling wrote: > Wouldn't this be the main reason to use sudo? > Not at all. If your box is not physically secure, even sudo wouldn't prevent an attacker of joking around with your server... Use sudo anyways, but keep your servers physically secu

Re: Doubts about OpenBSD security.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, Joco Salvatti wrote: > > 1. Why doesn't passwd ask superuser's current password when it's run > by the superuser to change its own password? May not it be considered > a serious security flaw? No. If you are already root, you could add eas

Re: Doubts about OpenBSD security.

Nick Holland wrote: > > Bob Beck wrote: > ... > > IMNSHO, a root password for single user makes the system *LESS* > > secure, and I'm dead serious. I would object to any attempt to commit > > changes to OpenBSD to have one by default. Why? Real simple: *because > > you asked this question*. -

Re: Doubts about OpenBSD security.

Bob Beck wrote: ... IMNSHO, a root password for single user makes the system *LESS* secure, and I'm dead serious. I would object to any attempt to commit changes to OpenBSD to have one by default. Why? Real simple: *because you asked this question*. - Now I'm not just crapping on you, eve

Re: Doubts about OpenBSD security.

On Wed, Jun 21, 2006 at 11:54:37AM -0600, Bob Beck wrote: > > IMNSHO, a root password for single user makes the system *LESS* > secure, and I'm dead serious. I would object to any attempt to commit > changes to OpenBSD to have one by default. Why? Real simple: *because > you asked this quest

Re: Doubts about OpenBSD security.

Quoting Jared Solomon <[EMAIL PROTECTED]>: > That's why I always hardware hack my servers with a fragmentation > grenade. And, for good measure, anti-personnel mines underneath the > raised flooring. I prefer to have the doors automatically locked and then have the halon deployed. Much cleaner

Re: Doubts about OpenBSD security.

unning on the system. > > > > Hope that allays some of your fears regarding OpenBSD in particular... > > > > Peter L. > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Joco Salvatti > > Sent: Wed

Re: Doubts about OpenBSD security.

2006 1:23 PM To: Misc OpenBSD Subject: Doubts about OpenBSD security. My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change i

Re: Doubts about OpenBSD security.

Joco Salvatti wrote: My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security fla

Re: Doubts about OpenBSD security.

On 6/21/06, Gabriel Puliatti <[EMAIL PROTECTED]> wrote: On 6/21/06, Theo de Raadt <[EMAIL PROTECTED]> wrote: > > My doubts may seem fool, so thanks in advance for those who will read > > this e-mail and may help me with my doubts. > > > > 1. Why doesn't passwd ask superuser's current password whe

Re: Doubts about OpenBSD security.

Joco Salvatti <[EMAIL PROTECTED]> wrote: Let's suppose an attacker entered the room where an OpenBSD server is located in, Most would argue that at this point you've already lost the security game. So the attacker could enter in single user mode, without the need for the root password, He

Re: Doubts about OpenBSD security.

That's why I always hardware hack my servers with a fragmentation grenade. And, for good measure, anti-personnel mines underneath the raised flooring. On 6/21/06, Dries Schellekens <[EMAIL PROTECTED]> wrote: Nonce someone has physical access, all is lost with current hardware. -- Try to d

Re: Doubts about OpenBSD security.

* Joco Salvatti <[EMAIL PROTECTED]> [2006-06-21 11:38]: > My doubts may seem fool, so thanks in advance for those who will read > this e-mail and may help me with my doubts. > > 1. Why doesn't passwd ask superuser's current password when it's run > by the superuser to change its own password? May

Re: Doubts about OpenBSD security.

ilto:[EMAIL PROTECTED] On Behalf Of Joco Salvatti Sent: Wednesday, June 21, 2006 1:23 PM To: Misc OpenBSD Subject: Doubts about OpenBSD security. My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superus

Re: Doubts about OpenBSD security.

On Wed, Jun 21, 2006 at 02:23:20PM -0300, Joco Salvatti wrote: > My doubts may seem fool, so thanks in advance for those who will read > this e-mail and may help me with my doubts. > > 1. Why doesn't passwd ask superuser's current password when it's run > by the superuser to change its own passwor

Re: Doubts about OpenBSD security.

On 6/21/06, Joco Salvatti <[EMAIL PROTECTED]> wrote: Let's suppose an attacker entered the room where an OpenBSD server is why didn't you lock the door? located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single us

Re: Doubts about OpenBSD security.

Joco Salvatti wrote: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malic

Re: Doubts about OpenBSD security.

"Joco Salvatti" <[EMAIL PROTECTED]> wrote: > 1. Why doesn't passwd ask superuser's current password when it's run > by the superuser to change its own password? May not it be considered > a serious security flaw? No, it may not. Why would that matter at all? > 2. Why doesn't the system ask the

Re: Doubts about OpenBSD security.

> My doubts may seem fool, so thanks in advance for those who will read > this e-mail and may help me with my doubts. > > 1. Why doesn't passwd ask superuser's current password when it's run > by the superuser to change its own password? May not it be considered > a serious security flaw? Oh come

Doubts about OpenBSD security.

My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? 2. Why doesn't the