From owner-freebsd-hackers Tue Feb 29 13: 1:34 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from stimpy.sasknow.com (h139-142-245-100.ss.fiberone.net [139.142.245.100]) by hub.freebsd.org (Postfix) with ESMTP id 9226D37BBC0 for ; Tue, 29 Feb 2000 13:01:28 -0800 (PST) (envelope-from ryan@sasknow.com) Received: from localhost (ryan@localhost) by stimpy.sasknow.com (8.9.3/8.9.3) with ESMTP id PAA18945; Tue, 29 Feb 2000 15:01:56 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Tue, 29 Feb 2000 15:01:56 -0600 (CST) From: Ryan Thompson To: Zhihui Zhang Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Building customized kernel without root passwd In-Reply-To: Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Zhihui Zhang wrote to freebsd-hackers@FreeBSD.ORG: > > My professor plans to use FreeBSD for teaching purpose. We will allow > students to build their kernel but do not want to give them root password. > So it's better to find a way to let students build kernel under their own > account, save the kernel on a floppy and then boot from the floppy. > > I am familiar with normal kernel build process. But have not done the > above before. I hope someone can give me some suggestions and I will try > them out. > > Thanks a lot. > > -Zhihui It might be possible to do... (SHOULD be possible, though modifications to the Makefile would have to be done to point the build away from /usr/src/sys/compile. The install option would also have to be modified to point to the floppy... And watch it die when the write protect tab is locked. ;-) I would STRONGLY recommend against this though, as it's really a false sense of security... Heck, maybe even less... After booting from the floppy (presumably in single user mode), the user can make arbitrary root mounts of the system's hard drive (and any maproot=0 NFS exports allowed by that machine!). In fact, enabling floppy boots on public machines where wide physical access is available is generally a Bad Idea. Of course, not giving the students root's password on that machine is also a moot point, as a 'passwd root' from that boot flopply sort of avoids the whole issue. :-) Most colleges give students responsibility for their own computers for this sort of work. Things tend to go awry when budding SysAdmins (with strict lab deadlines, no less) are given root privileges. It is possible to modify the 'mount' command to require some extra authentication (like a password or challenge phrase) to perform root mounts, but unless you regulate all floppies that enter and exit your lab, there is nothing to stop users with home systems from rolling their own mount from an existing FreeBSD system without such restrictions. Basically, if the user has the permissions to build and boot from their own kernel and/or suite of utilities (be it from a floppy or the local drive), assume they have free reign over the entire system, and any network resources root normally has access to. -- Ryan Thompson Systems Administrator, Accounts Phone: +1 (306) 664-1161 SaskNow Technologies http://www.sasknow.com #106-380 3120 8th St E Saskatoon, SK S7H 0W2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message