recovery from stupid error

[Brett Profitt]

Judd Pickell wrote:
> It is apparent in the responses above, that they get what you mean,
> but you seem to be missing their point. I will attempt to show you by
> presenting your own arguments:

I can assure you that I have missed no points that were made, but that I
believe they are severely flawed.

> 1) A person (other than valid user) sits down at the computer and
> enters recovery mode.
> 2) A person stumbles into a server room (other than a valid admin),
> sits down at the computer and enters recovery mode.
> 
> First, we need to throw out the second example. I don't know of many
> server rooms (atleast for operations bigger than a a few users) where
> you have a machine with direct monitor and keyboard access to make
> this possible. If you know how to operate the KVM setup you might get
> to it, but if your servers are automatically that accessible, you are
> just begging for someone to break your servers. (Not to mention that
> your servers would need to be rebooted to access Grub to get to
> recovery, which if they can do that from a KVM or direct access to the
> server hardware, you are screwed).

This is, unfortunately not true.  There are many, MANY conditions under
which a person who is not valid admin might have access to server rooms:
 janitors, upper management, etc.  The second example, then, is highly
significant.

> But the first case makes sense, you wouldn't want someone to sit down
> at your computer reboot it, and access root. However, you fail to miss
> the most obvious point of your whole scenario. IF someone has managed
> to get that much access without your knowledge, and their intents were
> so malicious as to seek out to access root without your knowledge, a
> password on the root access will not protect you.
>
> [SNIP]
>
> So to put it bluntly, root only protects you while your machine is
> already in its operational phase, and only prevents you from doing too
> much harm via a connection to the machine (even X is just a connection
> to the machine at it's techinical level).
>
> I hope I have put into reality the false-reality you have about
> accessing root. Anytime you allow someone else physical access to your
> machine, you are just asking for root to be busted. If you really want
> to prevent users from doing what has been described above is to not
> give them access to the machine at all (yeah, like we ever have that
> kind of option) or set them up with Dumb terminals that use all the
> resources on a central server.

Once again I mention that I am talking about making bypassing security
easier for those who wish to do harm, who may otherwise not be inclined
to.  I have already stated that I understand that those who wish to
compromise security, given enough experience, will be able to
regardless.  It follows, then, that it is not against these people that
security measures are effective, but it is against another type...those
who may be only curious and adventurous.  I understand the implications
of physical security, but as I have previously discussed, one cannot
assume physical access is allowed only to those who are administrators.

I see that this discussion will not progress to any further meaningful
levels on the list, so I will suggest this:  You may continue believing
that I am wrong and have a false idea of the meaning of security, and I
will continue believing that these practices are dangerous and insecure
for a distribution that caters to new users.

Brett