current-users: Re: Single user mode files (was: Rototil ...)

Subject: Re: Single user mode files (was: Rototil ...)
To: William Allen Simpson <wsimpson@greendragon.com>
From: Steven M. Bellovin <smb@research.att.com>
List: current-users
Date: 06/06/2003 15:42:42

In message <3EE0DB98.F2D0EB8D@greendragon.com>, William Allen Simpson writes:
>"Steven M. Bellovin" wrote:
>> 
>> In message <20030605235926.GF7074@goldberry.poofy.goof.com>, "Aaron J. Grier
>" w
>> rites:
>> >On Thu, Jun 05, 2003 at 12:05:53PM -0700, Greywolf wrote:
>> >
>> >> It's up to the individual, of course, and I can see where / and /usr
>> >> make a good merge now (but don't enforce it, please, by doing
>> >> something stupid like making dependencies on /usr being mounted in
>> >> single-user mode!),
>> >...
>> >how far can things be split out?
>> >
>> >what is the minimum partition required for single user mode?
>> >...
>> >
>> >besides /bin, /sbin, and /dev, what else is necessary on the root
>> >partition for single user mode?
>> >
>> 
>> Probably /etc, for /etc/rc* to get out of single-user mode cleanly.
>> 
>Funny thing, I was just annoyed the other day about a /usr dependency 
>in single user mode.  You see, I'd not su'd on that particular machine 
>in over 4 months, and couldn't remember the root password.  (All my 
>machines have different passwords for every account, don't yours?  And 
>of course, I wouldn't write them down, would you?)  
>
>passwd is in /usr/bin.  Not even /usr/sbin -- where I'd have guessed 
>"security" binaries might be stored!
>
>In single user mode, without /usr mounted, it took a long time to find.
>
>IMHO, passwd really should be in /sbin.  And chmod, more & less, and 
>other really basic file commands, should be in /bin. 

passwd is invoked by ordinary users, which means it should be in /bin 
if it's to be moved.
>
>The reason I hadn't used the root password on that particular machine 
>is: NetBSD won't let me SSH to root....  Oh, I already did that rant 6 
>months ago when I came back to NetBSD after a long hiatus....

Sure you can -- just set

	PermitRootLogin yes

in /etc/ssh/sshd_config.

The philosophical split between /bin (/sbin) and /usr/bin (/usr/sbin)
is whether or not you "need" it while in single-user mode; it has 
nothing to do with security, but rather, with repair.  On those 
grounds,  The split between /bin (/usr/bin) and /sbin (/usr/sbin) is 
whether or not ordinary users need the command.  They do need passwd.
They don't need chown, since it's privileged.

ipsec is an interesting case, since arguably it's a crucial part of 
networking that you need before going multi-user, i.e., to mount a 
remote file system securely. 


		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)