Fedora safe/recovery mode

Arthur Pemberton pemboa at gmail.com
Mon Mar 5 15:18:37 UTC 2007 

On 3/6/07, Brian Wheeler <bdwheele at indiana.edu> wrote:
> On Sun, 2007-03-04 at 10:01 -0500, Chuck Anderson wrote:
> > On Sun, Mar 04, 2007 at 09:45:22AM -0500, Chuck Anderson wrote:
> > > On Sun, Mar 04, 2007 at 03:00:05PM +0100, Enrico Scholz wrote:
> > > > > tested this in fedora for some months, but last I checked, runlevel 1
> > > > > dropped the user directly in a root shell.
> > > > >
> > > > > Runlevel 3 is at least as safe as runlevel 5 and could be used with no
> > > > > security implications.
> > > >
> > > > As long as Grub and the BIOS are not protected with a password by
> > > > default, we do not need to discuss this....
> > >
> > > Does grub have a "secure" flag you can put in a stanza to require grub
> > > to prompt for a password?  That would solve the security concern.
> >
> > Answering myself:
> >
> >  -- Command: lock
> >      Prevent normal users from executing arbitrary menu entries. You
> >      must use the command `password' if you really want this command to
> >      be useful (*note password::).
> >
> >      This command is used in a menu, as shown in this example:
> >
> >           title This entry is too dangerous to be executed by normal users
> >           lock
> >           root (hd0,a)
> >           kernel /no-security-os
> >
> >      See also *Note Security::.
> >
> >
> > under *Note Security*:
> >
> >    Also, you can specify an optional argument to `password'. See this
> > example:
> >
> >      password PASSWORD /boot/grub/menu-admin.lst
> >
> >    In this case, GRUB will load `/boot/grub/menu-admin.lst' as a
> > configuration file when you enter the valid password.
> >
>
> What's the chances of a user remembering this password if they've
> forgotten the root password?  If its set to a default then everyone
> knows it anyway and there's no used to having it in the first place...
>
> The idea (elsewhere in this thread) of having a recovery root (which
> would probably be a busybox based system) on /boot is a good one, but it
> shouldn't have a password either, just a really "stern" warning not to
> do something stupid like, say, remove shared libraries.
>
> Brian

Just to remind everyone that I suggested this solution mosly for what
(in FC6) was a common occurence of a broken X display. I don't think
single user mode should be _that_ easy to get to.

-- 
Fedora Core 6 and proud

More information about the fedora-devel-list mailing list