From owner-freebsd-security Mon May 14 15:16:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from skink.ru.ac.za (skink.ru.ac.za [146.231.128.4]) by hub.freebsd.org (Postfix) with ESMTP id DB89837B424 for ; Mon, 14 May 2001 15:16:25 -0700 (PDT) (envelope-from dom@dude.dsl.ru.ac.za) Received: from dude.dsl.ru.ac.za ([146.231.113.85]) by skink.ru.ac.za with esmtp (Exim 3.16 #1) id 14zQdZ-000M8T-00 for freebsd-security@freebsd.org; Tue, 15 May 2001 00:16:21 +0200 Received: (from dom@localhost) by dude.dsl.ru.ac.za (8.10.2/8.10.2/SuSE Linux 8.10.0-0.3) id f4EMLOZ00650 for freebsd-security@freebsd.org; Tue, 15 May 2001 00:21:24 +0200 Date: Tue, 15 May 2001 00:21:24 +0200 From: Dominic Parry To: freebsd-security@freebsd.org Subject: Re: nfs mounts / su / yp Message-ID: <20010515002124.A647@dude.dsl.ru.ac.za> References: <3B0015E5.2E1AED1B@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsimmons@wlcg.com on Mon, May 14, 2001 at 02:02:15PM -0400 X-added-header: added by skink.ru.ac.za Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just a thought, you could in your bios set password and then boot only of the hdd. That way no one could boot of a stiffy etc. On Mon 2001-05-14 (14:02), Rob Simmons wrote: //> -----BEGIN PGP SIGNED MESSAGE----- //> Hash: RIPEMD160 //> //> You could set the console to insecure in /etc/ttys. That way single user //> mode will ask for the root password. You still can't prevent someone from //> booting with their own floppy disk and making changes that way. I think //> the only way to prevent that is to use an encrypted filesystem of some //> sort. //> //> Robert Simmons //> Systems Administrator //> http://www.wlcg.com/ //> //> On Mon, 14 May 2001, Eric Anderson wrote: //> //> > If a user reboots their machine, goes into single user mode, and changes //> > the local root password (and adds their username into the wheel group of //> > course), then boots into multiuser mode, they can su to root, then su to //> > any NIS user they desire, and do malicious things as that user. su'ing //> > from root to any other user never asks for a password, so login.conf //> > isn't used (right?).. //> -----BEGIN PGP SIGNATURE----- //> Version: GnuPG v1.0.5 (FreeBSD) //> Comment: For info see http://www.gnupg.org //> //> iD8DBQE7AB2qv8Bofna59hYRA0ebAKCQ9R1wLoemlWAuEdplqcSMcY12IQCfVH0B //> 8SkJHNs8J3aEYZ8dk27La2k= //> =Qb9E //> -----END PGP SIGNATURE----- //> //> //> //> To Unsubscribe: send mail to majordomo@FreeBSD.org //> with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message