Anyone can change my root or user password?

newbie2fedora · #1 7th August 2005, 07:42 PM

From what I know, theres a way to change/reset root password & user passwords if u forget them.

Which means anyone having such knowhow & physical access to my PC can tamper with my linux system!

Is there ANY way to prevent all this?

And I really can't afford to lock up my pc....my family uses it and I'm just a 21-yr kid using the same pc

So I know that NO ONE in my family would do any intentional damage to my pc......what I ONLY want is that no one should get access to my linux system by changing password etc.

Apart from encrypting personal files, isn't there ANY other way?

Thanks

jombeewoof · #2 7th August 2005, 07:49 PM

check out password protecting grub
if you can't change grub, you can't enter single user mode and you can't change root password

huw-l · #3 7th August 2005, 08:23 PM

Quote:

Originally Posted by newbie2fedora

Which means anyone having such knowhow & physical access to my PC can tamper with my linux system!

Anyone who has physical access to your machine can do whatever they want to it. Once a knowledgable adversary has access to your machine the game is up whatever operating system you are running.

Having said that unless your family are all l33t haxx0rz I don't think you really have to worry about anything.

If you are the only person with root on the machine then there isn't a lot they can do unless they know how to use single-user mode or a rescue disk.

pparks1 · #4 7th August 2005, 08:34 PM

Yes, physical access to the computer means that somebody will be able to change your root password.
Even setting a grub password can't stop them. They can simply boot off the 1st Fedora CD and run linux rescue.

To secure the box you can do the following:
1. Remove the cd rom entirely.
2. set a BIOS password and set it to NOT boot from CD or floppy.

Omega Blue · #5 8th August 2005, 08:39 AM

Hm, nothing helps you if somebody has physical access to your box.

BIOS password can be defeated by removing the battery for a few minutes.

JordanN · #6 10th August 2005, 10:42 AM

Quote:

Originally Posted by Omega Blue

BIOS password can be defeated by removing the battery for a few minutes.

or shorting the reset jumper.

daniel_owen_uk · #7 10th August 2005, 10:58 AM

Or replacing the bios chip, but we are pushing it there :P

Omega Blue · #8 10th August 2005, 11:05 AM

Or just taking the HDD out and connect it to another system.

Twey · #9 10th August 2005, 12:10 PM

Or doing this to it.

gavinw6662 · #10 10th August 2005, 02:41 PM

Quote:

Originally Posted by jombeewoof

check out password protecting grub
if you can't change grub, you can't enter single user mode and you can't change root password

that's your best bet in this scenario, or go with BSD, single user mode requires root pasword.

tejas · #11 10th August 2005, 07:00 PM

The beuty of GRUB is that you can choose WHEN you want GRUB to ask for the password, by putting the password line in different places in GRUB

Surf the web for more details, but if memory serves
1) Put it in the beginning for a required password to boot up at all
2) under the 'default' setting for booting snything other than the default
3) on the first line of each OS if you want anyone to not modify the kernel arguments --> This is the security that you, in particulr, want. you can even ahve different passwords for windows and linux

This implies that

Twey · #12 10th August 2005, 07:03 PM

Unless someone uses a boot disk. And so the cycle begins anew.

Short of encrypting your entire hard drive using cloop, you're not going to be able to do this.

tejas · #13 10th August 2005, 07:14 PM

Well, if you are that paranoid, there is nothing you can do short of:

1) BIOS password
2) Remove the mother board unless you are using the machine
3) encrypt the entire machine just before you shut down, and unencrypt on boot
4) Take the hard disk out when you are done with the computer
5) only travel in an armored car (did I mention bullet-proof)
6) Do not have internet access of any kind
7) Do not have a
a) Floppy Disk
b) CD Drive
c) USB port
d) Speaker System (Advanced Hacking techniques: cat file > /dev/dsp and then somehow record and decode the garbage outputted. Even worse if it becomes an mp3)
8) Camera watching the computer
9) Round the clock security
10) Biometrics - So that your retina scan/fingerprint will start the computer

Also, for extra safety, you should remove programs like:
1) rpm - No more installed files
2) yum - No easier way either
3) gcc/g++/gcj - we don't want anyone compiling evil cracking programs, do we?
4) ping
5) ifconfig
6) ssh/vsftpd <- perhaps the most evil of all of them. Letting people log in. Worse yet..... telnet!!! the b*stards

Can I stop being sarcastic or do I need to go on?