From owner-cvs-all Tue Dec 11 5:55:24 2001 Delivered-To: cvs-all@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 28A9837B417; Tue, 11 Dec 2001 05:55:16 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id fBBDswi23774; Tue, 11 Dec 2001 08:54:58 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 11 Dec 2001 08:54:57 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Mike Barcroft Cc: Paul Richards , Mike Silbersack , mini@haikugeek.com, cvs-all@FreeBSD.org, cvs-committers@FreeBSD.org Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp In-Reply-To: <20011211010336.Q1956@espresso.q9media.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 11 Dec 2001, Mike Barcroft wrote: > Paul Richards writes: > > You need the superuser password to get to single user if the console is > > secure. The loader can be used to circumvent that now. > > Interesting, I hadn't seen that before. This is probably only useful at > preventing people that don't have an account on the system, and don't > have physical access to the harddisk, CD-ROM/DVD-ROM, or floppy drives > from gaining root. To gain root from an account and console access, one > need only craft an init(8) and change the loader init_path. > > Perhaps a secure loader would be useful, such that it doesn't allow > interrupting. Similar things could be done with the pre-loader boot, > but this write from loader feature seems so useful to me that I can't > imagine why we would want to turn it off by default, particularly given > the intrinsic insecurities of our current loader. I think the primary call for such a "userless loader" would be in the so-called "kiosk" environment: the user is provided with access to the keyboard, mouse, and monitor, but expected not to interfere with the operation of the system. Using UNIX in such an environment is not unusual -- it certainly happens in university libraries, booths at tradeshows, etc. This doesn't mean it has to be a whole seperate loader, just that somewhere it would be nice to have a twiddle to prevent undo interference with the boot process. I recognize that we're pretty far from that now, of course, due to having each phase of the multi-phase boot process allow interruption, selection of the next phase, etc. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message