| Autor |
Nachricht |
|
|
Titel: Passwords, root, and su
 Verfasst am: 14.08.2006, 21:17 Uhr
|
|
Anmeldung: 14. Aug 2006
Beiträge: 6
|
|
This is probably going to be some simple thing I've stupidly overlooked, so be kind 
I'm trying to run 2006-RC4 as a poor man's install, dual-booting with Win XP for the moment. I've been more-or-less following the writeup in http://biohackery.com/node/4#howto, except that in my setup, there is no USB involved. So far I've got Kanotix up and running, without (so far) establishing a persistent home directory or enabling unionfs. (If you need more details about the booting setup, just ask.)
I boot to KDE and launch Konsole. The bash prompt says
knoppix@1[knoppix]$,
so I believe I'm (ordinary) user knoppix. I'd like to be able to su to become root, rather than use sudo. So I type:
su -;
no root password is requested. Fine: I've read that none is set by default. I see (IIRC):
root@1[~]#,
so I'm now root.
I set the root password using the passwd command, and the system accepts it. I then exit root.
Now if I type again su -, either in this Konsole session or in some later one, no password is requested. Why not? In fact, nothing I can do seems to make the system request a root password, and I don't understand this.
Anybody know what's going on? |
|
|
| |
|
|
|
 |
|
|
|
Titel: RE: Passwords, root, and su
Verfasst am: 15.08.2006, 04:21 Uhr
|
|
Anmeldung: 22. Jul 2005
Beiträge: 124
|
|
Hi shinding. I am not sure what is going on with your system, but some things in your post make no sense. First of all I have Kanotix 2006 Easter RC4 installed here. I also have Kanotix 2005-04, and Win98 (triple boot)
During the installation of Kanotix 2006 Easter RC4, I was asked for a username, a user password, and a root password. Also, unless you chose Knoppix as your username, that makes no sense. It sounds more like you may have some version of Knoppix, NOT Kanotix. While Kanotix was based on Knoppix, it is not the same.
The last time I looked at Knoppix, they were using the Kanotix install script. Are you sure you don't need to poste this in the Knoppix forums? |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 15.08.2006, 04:57 Uhr
|
|
Anmeldung: 14. Aug 2006
Beiträge: 6
|
|
Hi kb0hae,
No, this really is Kanotix, not Knoppix. The so-called Poor Man's Install originated on Knoppix, but it works (at least it's supposed to) even better on Kanotix. I've been using it on 2005-3 for a year in order to back up my Win partition using partimage. Basically it's just a way to plop the Kanotix .iso down on your hard disk, as is. You boot from the hard disk, but otherwise it's like using the CD. The ability to add a persistent home directory and modify the configuration on the fly using unionfs are just refinements. (It's not a complete Debian'ish install using the Kanotix installation script.)
There's even some documentation in the wiki (http://kanotix.com/index.php?module=pnWikka&tag=PoorMansInstallEN), though there is a notation that the directions there are outdated.
So really, I probably should have phrased my question in terms of what happens on the live CD. On the live CD, if you fire up Konsole, you are user 'knoppix', a holdover from the origins of Kanotix.
The difference is, on the live CD you usually don't much care about whether you are root or not, since a CD is read-only and can't be harmed by malware. But in a PMI, I want to be able to use apt-get (and unionfs) to install more software and to keep a permanent home directory, so I need to understand how to safely and correctly become root. (At least I think I do, until somebody tells me I don't.) |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 15.08.2006, 05:54 Uhr
|
|
Anmeldung: 05. Dez 2005
Beiträge: 414
Wohnort: Auckland, New Zealand
|
|
| shinding, that's a very good howto! |
_________________
Linux is evolution, not intelligent design - Linus Torvalds
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 15.08.2006, 06:07 Uhr
|
|
Team Member
Anmeldung: 06. Mai 2005
Beiträge: 3087
Wohnort: berlin
|
|
shinding,
to create a sticking passwort, do: sudo passwd and give a password twice.
greetz
devil |
_________________
<<We are Xorg - resistance is futile - you will be axximilated>>
Host/Kernel/OS "devilsbox" running[2.6.19-rc1-git5-kanotix-1KANOTIX-2006-01-RC4 ]
CPU Info AMD Athlon 64 3000+ clocked at [ 803.744 MHz ]
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 15.08.2006, 17:06 Uhr
|
|
Anmeldung: 14. Aug 2006
Beiträge: 6
|
|
Tried that. The password 'sticks', but if you do a su - after that, the system still makes you root without asking for the password.
I went back and booted up from a CD copy I still have of 2005-03, and the same things happen. So this is an issue (if indeed it is an issue) of longstanding. Perhaps all Knoppix derivatives behave this way? Anyway, I still don't understand why, or what this means for security in a PMI of Kanotix. |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 15.08.2006, 17:41 Uhr
|
|
Anmeldung: 02. Mai 2004
Beiträge: 471
Wohnort: Portland, OR, USA
|
|
That's been a feature of Knoppix (and Kanotix), when run from the live CD or a PMI, since forever. (See "README_Security.txt" on the Knoppix CD.) You have to actually install it to your hard drive in order not to get that behavior. (Or convince the developers to change it....)
(By the way, you can use sux instead of su - if you're trying to run X programs. Still won't ask for a pw, though.) |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 16.08.2006, 01:40 Uhr
|
|
Anmeldung: 14. Aug 2006
Beiträge: 6
|
|
Thank you, eco2geek, that's what I needed to know. Although I'm not at all pleased with the answer. This may have made sense when Knoppix and Kanotix live CDs were truly read-only, but with the advent of unionfs and persistent home directories, PMIs can be used as true installations, adding software, managing data, etc. (And there are some good reasons to do so I think, including new hardware detection at boot time.) But it seems to me that without root password protection, such an installation is insecure and potentially wide open to attack. Rather like Windows.
Incidentally, I googled for "README_security.txt". It seems that there are threads all over the web recommending that one read this, but the only place it is to be found is on the Knoppix CD! Which means I'd have to download the whole thing just to read it... probably not. |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 16.08.2006, 05:56 Uhr
|
|
Anmeldung: 02. Mai 2004
Beiträge: 471
Wohnort: Portland, OR, USA
|
|
It's really short, actually:
Zitat:
SECURITY CONSIDERATIONS FOR KNOPPIX
==============================
1.) There is no automatic start of external accessible services.
2.) There are no default passwords. All accounts are locked by default. Even local logins are not possible (unless you set a password or create new user accounts as root).
3.) Therefore, all local interactive processes are started by init without authorization.
Version 1.x up to and including 2.1-21-08-2001: Because there is no valid password for "su", but still the possibility should exist to use the system as "rescue cd", all programs (including KDE) are running under root id.
Changed from version 2.1-24-08-2001 and up: The graphical desktop is started with the unprivileged user id "knoppix". Programs that only work for root are started using sudo without password. This has the advantage of making faults caused by defective software very unlikely, but does not enhance local security, since it is fairly easy to switch between the "knoppix" and "root" account. The knoppix user should never be allowed for external logins (in the case that sshd or similar servers are being launched).
4.) You can create valid passwords using "sudo passwd [username]" from the Shell, individually.
This policy (along with "logging out of KDE shuts down the system") shows Knoppix's roots as a "rescue CD". |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 16.08.2006, 09:45 Uhr
|
|
Anmeldung: 05. Okt 2004
Beiträge: 2069
Wohnort: w3
|
|
|
Zitat:
(And there are some good reasons to do so I think, including new hardware detection at boot time.)
Definitely wrong - with Kanotix the hardware detection at every boot works the same way with a traditional HD-install.
Although there are reasons for a "ISO-file based" installation with unionfs and persistent home, they are very rare. It actually makes only sense in case you need a system that is not changeable by users and always starts from scratch (i.e. internet cafe). It might also make sense in a corporate environment, where a pool of machines is used and everybody is carrying his persistent home on a flash drive/usb stick. I can also think of it when using a machine only for a short time because it is a rented one (while my own is in repair).
But everything else is a myth. For daily desktop use the "poor-man's-install" is adding complications and does not provide any additional functionality when compared with a serious d-install. Not being able to have a persistent root password is just a minor one.
Greetings,
Chris |
_________________
"An operating system must operate."
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 16.08.2006, 16:00 Uhr
|
|
Anmeldung: 14. Aug 2006
Beiträge: 6
|
|
|
Zitat:
Definitely wrong - with Kanotix the hardware detection at every boot works the same way with a traditional HD-install.
I didn't know that-- thanks for correcting my misimpressions. The lack of effective root password, together with your remarks about PMIs, is changing my thinking about the installation problem.
The appealing thing about PMI is that it's awfully easy to do: just download the .iso of the next version, pluck out the vmlinuz and the minirt.gz files, make a few changes to menu.lst and you're done. And you can do this all in a fat32 partition. It's even easy to keep several versions of Kanotix around at the same time. But of course, once you're maintaining a persistent home, it's not quite as easy as that, because there would undoubtedly be compatibility problems from one Kanotix version to the next. And installing new software via unionfs complicates it even more.
As for regular HD installs, I have some questions about how one might achieve some degree of stability (not the same as security!) and repeatability in the rapidly changing flux of apt-get, but these belong in another thread.
Thanks again... |
|
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 16.08.2006, 17:07 Uhr
|
|
Anmeldung: 25. Mar 2005
Beiträge: 2133
|
|
If you want to keep your hd install stable, refrain from dist-upgrading the entire system. Upgrading single packages usually works, and if the next stable Kanotix release comes around, you can easily upgrade the entire system by doing an upgrade installation.
It's also a good idea to back up your root partition on a regular basis. You can do that with partimage. Simply boot your computer off the Kanotix cd and save a compressed image file to another drive. |
_________________
And I ain't got no worries 'cause I ain't in no hurry at all (Doobie Brothers, "Black Water").
|
| |
|
|
|
|
|
|
|
Titel: Can I turn off hardware detection? Laptop HD install.
Verfasst am: 16.08.2006, 18:52 Uhr
|
|
Anmeldung: 15. Jun 2005
Beiträge: 5
Wohnort: Pasadena, CA
|
|
|
slam hat folgendes geschrieben::
Definitely wrong - with Kanotix the hardware detection at every boot works the same way with a traditional HD-install.
Chris
I have just completed a HD install onto my laptop computer and would like to startup quicker. I do not need hardware detection because the only configuration change is whether the wireless radio is on or off.
and whether my ethernet cable is connected. How can I have DHCP requests take place in the background so that the boot process does not wait for the DHCP process to time out if not sucessful?
How do attach the Additional Information Block (that I filled out with my equipment description when I registered) so that it appears at the end of my posts? |
|
|
| |
|
|
|
|
|
|
|
Titel: RE: Can I turn off hardware detection? Laptop HD install.
Verfasst am: 16.08.2006, 18:58 Uhr
|
|
Anmeldung: 25. Mar 2005
Beiträge: 2133
|
|
Press "ctrl"+"c" to abort dhclient or edit /etc/dhclient.conf:
Code:
sux
mcedit /etc/dhclient.conf
Replace "# timeout 60;" with "timeout 10;". |
_________________
And I ain't got no worries 'cause I ain't in no hurry at all (Doobie Brothers, "Black Water").
|
| |
|
|
|
|
|
|
|
Titel: RE: Can I turn off hardware detection? Laptop HD install.
Verfasst am: 16.08.2006, 19:00 Uhr
|
|
Anmeldung: 25. Mar 2005
Beiträge: 2133
|
|
| Edit your user profile to add a signature. |
_________________
And I ain't got no worries 'cause I ain't in no hurry at all (Doobie Brothers, "Black Water").
|
| |
|
|
|
|
|
|
|
Titel: RE: Can I turn off hardware detection? Laptop HD install.
Verfasst am: 16.08.2006, 20:13 Uhr
|
|
Anmeldung: 15. Jun 2005
Beiträge: 5
Wohnort: Pasadena, CA
|
|
| Thank you Ockham23 for the quick replys. I changed the timeout line and it looks like I have a bunch more editing to do to the IPs etc. I haven't rebooted yet. I did attach a signature block. |
_________________
Centrino Laptop. EnPower Xnote Genie.AKA Uniwill 233ii0.
Pentium M 825 1.6GHz, 512MB ram, Intel ProWireless ipw2200B/G, Extreme 855 graphics 1280X800 12.1"Display. triple boot Kanotix 2005-4 HD,Ubuntu 6.0.2, and WinXP. DSL, CompUSA Wireless G router.
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 16.08.2006, 20:22 Uhr
|
|
Anmeldung: 25. Mar 2005
Beiträge: 2133
|
|
You're welcome. By the way, didn't Harry Kuhman from the Knoppix forum tell you not to install Knoppix to HD? 
http://www.knoppix.net/wiki/User:Harry_Kuhman |
_________________
And I ain't got no worries 'cause I ain't in no hurry at all (Doobie Brothers, "Black Water").
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 17.08.2006, 00:31 Uhr
|
|
Anmeldung: 05. Dez 2005
Beiträge: 414
Wohnort: Auckland, New Zealand
|
|
|
slam hat folgendes geschrieben::
Definitely wrong - with Kanotix the hardware detection at every boot works the same way with a traditional HD-install.
Sorry for my dull mind, but can I clarify this? ... if I do a proper hard drive install to a usb drive (eg by following the steps in http://forum.kanotix.net/index.php?name ... t=63#q321) then are you saying that it will be just as good at hardware detection as a poorman's install (ie ISO)? ... even when I plug the usb into many different computers? ... I thought that a proper install of kanotix had problems in that area (eg the kanoitx boot cd would auto detect all the hardware on two different pc's, and bring up the internet connection etc, but if I take the hard drive out of one pc and put it in another then I have to do some fiddling in order for some things to work?). |
_________________
Linux is evolution, not intelligent design - Linus Torvalds
|
| |
|
|
|
|
|
|
|
Titel:
Verfasst am: 17.08.2006, 09:37 Uhr
|
|
Anmeldung: 05. Okt 2004
Beiträge: 2069
Wohnort: w3
|
|
|
Zitat:
... even when I plug the usb into many different computers?
Yes - even then. actually that's what I do with my USB-HD every day. Since the full implementation of hal/udev all your hardware is checked and detected at boot time. There are just 3 small restrictions when swapping an exisiting installation into another machine:
1) You need to check yourself for the correct drivers for the graphics card in /etc/X11/xorg.xonf
2) You should manually adapt /etc/fstab
3) Grub does not work on some older Bioses from USB
Greetings,
Chris |
_________________
"An operating system must operate."
|
| |
|
|
|
|
|
|
|
Titel: Sux behavior not consistent
Verfasst am: 23.08.2006, 16:57 Uhr
|
|
Anmeldung: 14. Aug 2006
Beiträge: 6
|
|
As an addendum to this thread, I tried out the sux command in Konsole (for the PMI, equivalent to the live cd). To my surprise, it did ask for the root password (and it accepted the password I had set as root with the passwd command.)
Of course, from a security standpoint, this provides virtually nothing, with su still wide open and needing no password. So for the sake of consistency, if nothing else, it might be better to remove this behavior of sux, or else upgrade su to require the root password. |
|
|
| |
|
|
|
|
|
|
