Just pulling out a cable let's me log in to root without password?

[Moef]

Hey guys,

Although I've been running FreeBSD for quite a while now, I feel like quite a newb compared to you, so please be gentle. Recently my FreeBSD box broke down. I connected my Linux Box power supply to the motherboard, and only the boot drive, to keep my data safe. The BSD box booted just like normal, except that it asked me for help and offered me to go into a shell (obviously because fstab couldn't find and mount the data drives). I could shutdown the box, however, I could also scroll through all the folders in "/" and whatnot. Later it hit me that this must be a security breach. Did I just log into root without having to enter a password? That's not quite safe, right? That would mean you can log into any BSD box, just by unplugging a device that fstab is looking for... I hope I'm wrong. Can I set it such that at least I have to enter the root password when this happens?

Kind regards, Moef.

 

[SirDice]

The BSD box booted just like normal, except that it asked me for help and offered me to go into a shell (obviously because fstab couldn't find and mount the data drives).

That's single user mode. And you are logged in as root. That's correct.

That's not quite safe, right?

Anybody with access to the disk can simply mount it on another system and read the contents. That's the same for Linux, Windows, MacOS, and a whole bunch of other operating systems.

That would mean you can log into any BSD box, just by unplugging a device that fstab is looking for...

Don't need to unplug anything. Just select "single user mode" in the boot menu.

Can I set it such that at least I have to enter the root password when this happens?

Edit /etc/ttys.

# when going to single-user mode.
console none                            unknown off secure

Change the secure to insecure and you will get a password prompt when booting in single user mode. It's not going to do you any good though, I can still take out the disk, attach it to a system I control, mount it and read/modify all its contents.

Anybody with physical access to the machine can circumvent its security. That's why things like disk encryption exist.

 

[zirias@]

Change the secure to insecure and you will get a password prompt when booting in single user mode. It's not going to do you any good though, I can still take out the disk, attach it to a system I control, mount it and read/modify all its contents.

It might make some sense when you use a serial console and make it accessible from remote. But then, it would make much more sense to properly secure that remote access mechanism instead ?

So, yes, agreed, assuming the local console is "secure" in single-user mode is a sane default. It's also how you would recover from a lost root password...

 

[Kai Burghardt]

[…] Later it hit me that this must be a security breach. Did I just log into root without having to enter a password? That's not quite safe, right? […]

It’s a basic security principle: A person who has physical access to a machine can be deemed to essentially already have root access. SirDice has explained how/why. That’s why you can put a padlock to any premium chassis (frequently combined with a Kensington Lock [or derivative]). Therefore enforcing a password prompt to a physical terminal/console has virtually no benefit unless you can prevent any interference with the hardware.​

[…] Edit /etc/ttys. […] Change the secure to insecure and you will get a password prompt when booting in single user mode. […]

For future installations of FreeBSD, bsdinstall(8) (the script that guides you through the installation) will allow you in a(n optional) hardening step to change this. The label reads secure_console (“Enable console password prompt”) and is by default off (i. e. what you have observed).​

 

[SirDice]

That’s why you can put a padlock to any premium chassis (frequently combined with a Kensington Lock [or derivative]).

And why servers are generally locked up in a secured room, which only authorized people can access. Modern servers also have a switch that gets tripped when you open the chassis. It can send an alert to the sysadmins if a server chassis has been opened.

 

[T-Daemon]

Edit /etc/ttys.

# when going to single-user mode.
console none unknown off secure

Change the secure to insecure and you will get a password prompt when booting in single user mode.

Apparently changing secure to insecure has no effect anymore (at least not on 13.2-RELEASE). The system drops into single-user mode without prompting for a password, asking for a shell path for the root user.

Optional one can set a boot-lock password in /boot/loader.conf:

bootlock_password="<password>"

From /boot/defaults/loader.conf:

#bootlock_password=""             #  Prevent booting (see check-password.4th(8))

The downside here is, a password is asked every time before the system is booted, before the boot menu is available.

But this is no protection at all, against an attacker, which has access to the hardware.

By the way, the secure_console option in the hardening dialog during installation is a sed(1) line, changing console secure to insecure in /etc/ttys:

/usr/libexec/bsdinstall/hardening

           secure_console)
                   sed "s/unknown  off secure/unknown  off  insecure/g" $BSDINSTALL_CHROOT/etc/ttys > $BSDINSTALL_TMPETC/ttys.hardening

 

[Andriy]

Apparently changing secure to insecure has no effect anymore (at least not on 13.2-RELEASE). The system drops into single-user mode without prompting for a password, asking for a shell path for the root user.

If this is really true then it must be a serious security regression that should be reported immediately.

 

[T-Daemon]

If this is really true then it must be a serious security regression that should be reported immediately.

Before reporting, It would be best if someone else could confirm the invalidity, to rule out that only my system is affected.

Try on 13.2-RELEASE (releng/13.2), stable/13, stable/14 (14.0-ALPHA3), eventually the 12 branch, considered it will be EoL at the end of the year.

 

[bsduck]

I just tried, it works as expected for me on 13.2-RELEASE-p2. The root password is asked when booting into single-user mode.

 

[_martin]

Before reporting, It would be best if someone else could confirm the invalidity, to rule out that only my system is affected.

Fresh install from few days ago, it works ok:

root@:~ # uname -a
FreeBSD  13.2-RELEASE FreeBSD 13.2-RELEASE releng/13.2-n254617-525ecfdad597 GENERIC amd64
root@:~ #

root@:~ # grep ^console /etc/ttys
console    none                unknown    off insecure
root@:~ #

Password is being asked.

 

[sko]

Fresh install from few days ago, it works ok:

Same for a fresh 14.0-ALPHA3 install here.

 

[Jose]

And why servers are generally locked up in a secured room, which only authorized people can access. Modern servers also have a switch that gets tripped when you open the chassis. It can send an alert to the sysadmins if a server chassis has been opened.

And retinal scans, man traps and the whole rigamarole in colo centers. Good practice too is to seal off all USB ports with hot glue and disable them in the BIOS as well.

 

[T-Daemon]

Clearly only my system is affected. It's running from a thumb drive (I'm visiting relatives, didn't want to take my laptop, it would have meant extra luggage).

I checked the configuration several times before posting, booting into single-user mode, and dropping from multi-user, not sure why my system is affected.

bsduck, _martin, sko, thank you all for testing.

Sorry for the noise.

 

[sko]

I checked the configuration several times before posting,

I actually had to try twice... be sure to edit the *first* line after the "when going to single-user mode" comment (starting with 'console'), *not* (like me) the one starting with 'ttyv0' that comes after...

 

[T-Daemon]

... be sure to edit the *first* line after the "when going to single-user mode" comment (starting with 'console'), *not* (like me) the one starting with 'ttyv0' that comes after...

Thanks for pointing that out. I did edit the 'console' line:

console    none                unknown    off insecure

, but still single-user doesn't ask for a password. Since my system is the only one affected, and only temporary in use, I didn't investigate further.

 

[Andriy]

Since my system is the only one affected, and only temporary in use, I didn't investigate further.

Perhaps a silly question, but does root account have a (not empty) password?

 

[T-Daemon]

I'm sorry to have you waiting for my answer Andriy, I haven't logged into my forums account quite a while and didn't notice you quoted my post (indicated by alerts).

Perhaps a silly question, but does root account have a (not empty) password?

In the end not so silly at all.

I've just checked, indeed, the root account has no password set. I installed Root-on-ZFS manually on a USB stick besides Linux and forgot to set the root password. Even when I logged in the root account I didn't realize (The last two months I had to work physically, I was and I'm still overtired.).

No wonder, without a root password set, the system won't prompt for a password when dropping to single user mode.