More Secure Single User Mode Via Password

An idea... if the user forgets his/her password and needs to use 'Recovery Mode', they should answer some security questions before being granted 'root' access.... the first user (the person who installed the operating system) could fill in the details upon installation. e.g, Mothers Maiden Name? Last School Attended

* Feel free to make that an optional question, but it is very easy to subvert. See http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guide/s1-rescuemode-booting-single.html and the "init=/bin/bash" boot parameter. If a user expects their system to be secure against *physical* access, they should set a GRUB password and disable all boot devices other than the hard disk. Of course, you'd also have to fill the entire box with epoxy so that they couldn't break whatever lock you have on the side of the computer or cut through it and get at your data. In other words, use encryption. -lfaraone

I would go so far as to say a backdoor is a *terrible* idea. Any user who has need of a single-user-mode password should also have the ability to store that password somewhere safe; i.e. a user who knows they need it also knows why they need it. Additionally, a user who has need of the feature also probably knows how to remove the hard drive, put it in another machine, and get to their data that way if they lose the single-user-mode password. Adding a backdoor mechanism only encourages users to set up features they don't understand and ultimately makes the system less secure, not more so. Just because banks and other personally valuable resources use backdoors doesn't mean it's right; backdoors are grossly negligent and reduce overall security to nearly zero. See http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html for a better description than I can give on the matter. - jelias