simple add to admin group

Fri Sep 30 05:24:57 UTC 2005

On Thu, 2005-09-29 at 11:44 +0300, janne.jokitalo at dnainternet.net wrote:
> Quoting "R.L. Reingard" <reingard at hispeed.ch>:
> 
> > hi all
> 
> Hello!
> 
> > yesterday i fixed the 'sudoers disaster' simply by:
> > 
> > picking the "recovery mode"
> > AND putting my user back to the admin group:
> > $ adduser username admin
> > 
> > eventhough i like the fact, that i was able to fix the 'sudoers
> > disaster' so quickly, i question myself now:
> 
> Never hurts to do so every once in a while... :)
> 
> > someone knowing the password of a simple user (one not in the  
> > sudoers-list) could start up the machine in 'recovery mode' and add that
> > user by the same command to the admin group (the admin group, which has
> > by default sudo rights).
> 
> Yes, this is true.
> 
> > is that nice?
> 
> I suppose. Consider the situation where you were, but didn't have that
> opportunity at all. What would you have done then?
> 
> I think this has already been under conversation here earlier, and if I remember
> correctly the suggestions were to protect the boot menu first, or set a BIOS
> level password, so that you cannot even get to the phase where you can choose
> single-user mode (without knowing the BIOS password). I might forget something,
> so people wiser than me, please correct me if that's wrong.
> 
> I've made that BIOS thingie, and I am well aware that a skilled intruder could
> possible go around that, no problem. I don't think any measures will stop
> someone determined enough to break into your system. But it rules out everyone
> who just happen to walk by a shutdown laptop that's been left alone for one
> minute while the owner is taking a leak

Open case, remove drive. Bye! Pretty much all security is useless if an
attacker has physical access to the machine.

You can always remove the Recovery entry from the boot menu and manually
boot single-user mode when required.

- P.