su : Sorry

Hi

I just installed freebsd FreeBSD 7.1 on VMware, then installed GNOME with sysinstall and everything worked fine but then I decided to install KDE and I did, well, I should say it's nice but the problem is I cannot run su or sudo when I'mm logged in with a normal user , so I am really stuck! :(

When I type su or sudo I get this answer:
Code:
%su: Sorry

Thanks.
 
Last edited by a moderator:
No I'm not :( I've created another VM and installed freebsd FreeBSD again, but this time I first created a user and added it to the wheel group before I installed KDE (because GUI root login is disabled by default in KDE) and then installed KDE and I could run the su command with that user.

I don't know why that is, but I don't like it, why can't a normal user run su?!

Thanks, sverreh.
 
Last edited by a moderator:
It's a fundamental part of FreeBSD's security model. FreeBSD won't let regular users su to root. They must be part of the wheel group. If you don't like it, learn to like it, because it prevents hackers who manage to crack a user account from grabbing root without too much additional effort.
 
That sounds reasonable. But what's going to happen in a situation like mine, when I just installed freebsd FreeBSD and I had no idea that there must be a user in the wheel group?

Thanks.
 
Last edited by a moderator:
I would boot to single user and add a user in group wheel from there. In single user you are automatically root.

Or type ctrl+Alt+F2 and log in on the virtual terminal to do the job. type ctrl+Alt+F9 to get back to the GUI.
 
First of all, I'm new to FreeBSD .

I just tested what sverreh said. It worked, I even noticed that it's possible to reset the root password in "single user mode"! Why is it so easy to reset the root password with just few clicks? So anyone that has physical access to your system could login to your system without any problems. Of course physical security is so important, but at home? There is no physical security at home.

Is there a way to disable this Single User Mode?
 
Last edited by a moderator:
You can set single-user mode to ask for a password, see /etc/ttys. You will need a root password for setting that option.
 
Thanks DutchDaemon for your help. I've checked it. All I had to do was change "secure" to "insecure" in /etc/ttys:
Code:
console none                            unknown off secure
to
Code:
console none                            unknown off insecure
Is there any other way to reset the root password or create a user account? I mean a rescue disk or something?

And thanks ale for the Handbook.

This is my second day with FreeBSD.
 
Last edited by a moderator:
Anyone that has physical access to the hardware will be able to access the data on that hardware. All they have to do is pull the harddrive, connect it to another system, and they can do whatever they want. :) And with netbooks and IDE/SATA-to-USB adapters, they don't even have to pull it from the case, just unplug the cord and connect it to the netbook.

You can make things difficult for people (insecure ttys entry, encrypt the harddrive, lock the computer case, lock the door to the room, etc.), but the only way to make a computer completely impenetrable is to encase it in cement, and drop it down a very deep, very dark hole, and then cover that over with cement. :D

Network security is what you should really be concentrating on, unless you really don't trust your friends/roommates/family/etc. ;)
 
Is there anyway to disable the reset password by the live CD?

I agree with phoenix , when there is physical access to the system so the data could be recovered, even if we encrypt the data or etc., this would only make the data access harder but not impossible.

But we should consider the knowledge that is required for deciphering or breaking into a secure system, too. Not everyone has that much knowledge, as far as I know :)

We should do our best make our systems as secure as possible, isn't that right?

By the way:
to make a computer completely impenetrable is to encase it in cement, and drop it down a very deep, very dark hole, and then cover that over with cement
This is a good one.
 
Last edited by a moderator:
moolideejay said:
Is there anyway to disable the reset password by the live cd ?
I would suppose that if you encrypted / it would keep someone from doing so, until they could "brute force" the key.
 
moolideejay said:
Is there anyway to disable the reset password by the live cd ?

You could configure your BIOS to boot from harddisk first and set a BIOS password, so people cannot change that and thus boot a live CD. Then an intruder will have to open your computer to either get access to the drives or reset the BIOS (assuming everything after booting is locked well).
 
tkjacobsen said:
You could configure your BIOS to boot from harddisk first and set a BIOS password, so people cannot change that and thus boot a live cd.
BIOS passwords are notoriously simple to reset.

Then an intruder will have to open your computer to either get access to the drives or reset the BIOS (assuming everything after booting is locked well).
Which is easy to do if you have physical access.

The only way to prevent access to your data (and prevent the root password from being reset using a different boot device) is to use encryption.
 
Hello guys,
I have a similar problem too. I actually knew that I could login to a virtual console using the ctrl+alt+F(0-8) but this key combination does not work for me in KDE3 (which, by the way I installed using pkg_add -r kde-lite).

So what should I do now? I would like to run as root so that I could add a few users into the wheel group as you suggested and may be do a visudo too to add them to the /etc/sudoers file.

FYI, I am running freebsd FreeBSD 7.2 on a virtual machine using VMware Player.

I'm looking forward to hear from you guys.
 
Last edited by a moderator:
I just found this post as I was having a similar problem. Thanks for the replies, all. I just wanted to put in my 2 cents for how I found the answer on my own:
Code:
[cmd=$]man su[/cmd]
     "...PAM is used to set the policy su(1) will use.  In particular, by default
     only users in the ``wheel'' group can switch to UID 0 (``root'')..."
If you read further you will find indeed you can change this behavior if you don't like it.

Sometimes I think we forget to mention the man pages are a wealth of helpful information distributed on the system.
 
Re:

moolideejay said:
First of all , im new to FreeBSD.

I just tested what @sverreh said, it worked, I even noticed that it's possible to reset the root password in "single user mode"!

Why is that so easy to reset the root password with just a few clicks? So anyone that has physical access to your system could login to your system without any problems! Of course physical security is so important, but at home; there is no physical security at home :e

Is there a way to disable this mode?(User Single Mode)

I just come up on this very old thread because I was looking for information related to the astonishing experience I had when I found out how easy, really easy is to reset passwords under FreeBSD. I was playing with an old BSD machine in the lab and I simply started user mode to fix something and then I started playing with passwords and it was quietly incredible for me to come up to a root prompt without being asked any password and had the option to mess up with everything without any problem or control from OS side.

You just need a physical access to a machine not protected by BIOS password and you can, in few minutes, reset all the passwords using single user mode.

I hope things changed with recent versions and installs of FreeBSD because it is not acceptable this behaviour in terms of security. Even Windows passwords are a lot harder to reset even if you physically have access to a machine, you need some tools, then with single user mode under FreeBSD you need nothing and, IMHO, this is a big big lack for such a secure, server OS. I read you can change the behaviour and have the OS ask for password also in single user mode, then this should be done by default for any install.

BTW, having said that, the original question of the user in this thread was related to su error if the user does not belong to the wheel group. This is a well done behaviour, then it is a lot more simple to add an existing and even running user to the wheel group admitting he always have access to sudo then what I read on this thread.

If you are in KDE you can simply open a Konsole or other terminal program and type sudo pw group mod wheel -m your_user_name. After this, simply type su to show the password prompt and you can become root.

A lot simpler compared to booting a live DVD or going into single user mode.

No one pointed about this simple and straightforward way to do this simple and easy thing.
 
Last edited by a moderator:
sudo and su are different things. In order to do what you describe in your post, you already need the permission to use sudo, so there is no increase in privileges there. And as was pointed out already, once someone has physical access to your system, you are done. No matter what OS you are running, that game is over. Interesting point here, BTW: using the encryption of the drive itself is of no use in these cases. Someone only needs to remove the data cable and plug that into his laptop - as long as the power stays connected, the drive is unlocked. You will need encrypted drivers or file systems against that.

You can tell FreeBSD to only accept root logins from the physical console, and that console is (for a server) usually in a locked basement, in a locked building with wild dogs roaming around the fence. Putting such a machine into single user mode also will make sure that, about 30 seconds later, some angry administrator will yell into your ear demanding to know what you are doing there. Depending on the server, he will be bringing heavy guys with no humor. I think you get the picture here ;)

So, for server use, this is not a problem. It is a problem for your home machine, but then you are responsible for the physical security of that.
 
Re: Re:

Hanky-panky said:
You just need a physical access to a machine not protected by BIOS password and you can, in few minutes, reset all the passwords using single user mode.

I hope things changed with recent verisons and installs of FreeBSD becouse it is not acceptable this behaviour in terms of security. Even Windows passwords are a lot hard to reset even if you physically access a machine, you need some tools, then with single user mode under FreeBSD you need nothing and, IMHO, this is a big big lack for such a secure, server OS.
Somebody who has physical access has the keys. Always. The only reason you require a tool to reset the administrator password is because Windows hides it somewhere deep in the registry and it's rather difficult to edit for us mortals. It's just as simple really. Even on FreeBSD if you would need to enter a password to enter single user mode you can simply boot off a CD or USB stick, mount the filesystem and reset the root password. Sure you can BIOS protect that too. But that password is easily reset too. Just open the box, unplug the battery for a minute and away you go. Anyway, if you want to 'protect' your single user boot edit /etc/ttys, find the line that says console and change secure to insecure.
Code:
console none                            unknown off insecure
 
You don't need any fancy tools to reset the password on MS Windows. Everyone has access (JFGI) to simple bootable CD/memstick images that contain very easy to use password reset tools. There goes the argument that it's harder to do in Windows than on FreeBSD.
 
Re:

phoenix said:
Anyone that has physical access to the hardware will be able to access the data on that hardware. All they have to do is pull the harddrive, connect it to another system, and they can do whatever they want. :) And with netbooks and ide/sata-to-usb adapters, they don't even have to pull it from the case, just unplug the cord and connect it to the netbook.

You can make things difficult for people (insecure ttys entry, encrypt the harddrive, lock the computer case, lock the door to the room, etc), but the only way to make a computer completely impenetrable is to encase it in cement, and drop it down a very deep, very dark hole, and then cover that over with cement. :D

Network security is what you should really be concentrating on, unless you really don't trust your friends/roommates/family/etc. ;)

You never know who is waiting for that...

It is better to start living with that, and learn, all my day perhaps once a month I need root privileges on my machine. On my server and especially desktop I had to decrease my accessibility/privileges enough to make myself angry, but it seems better than being a member of wheel and having a lot of liberty.
 
Last edited by a moderator:
Back
Top