From owner-freebsd-current  Wed Jan  6 18:09:41 1999
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA12832
          for freebsd-current-outgoing; Wed, 6 Jan 1999 18:09:41 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA12827
          for <current@FreeBSD.ORG>; Wed, 6 Jan 1999 18:09:39 -0800 (PST)
          (envelope-from green@unixhelp.org)
Received: from localhost (green@localhost)
	by janus.syracuse.net (8.8.8/8.8.7) with ESMTP id VAA28254;
	Wed, 6 Jan 1999 21:09:07 -0500 (EST)
Date: Wed, 6 Jan 1999 21:09:06 -0500 (EST)
From: Brian Feldman <green@unixhelp.org>
X-Sender: green@janus.syracuse.net
To: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>
cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
        Tom Bartol <bartol@salk.edu>, current@FreeBSD.ORG
Subject: Re: New boot blocks for serial console ... 
In-Reply-To: <38416.915473396@zippy.cdrom.com>
Message-ID: <Pine.BSF.4.05.9901062105340.27158-100000@janus.syracuse.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 4 Jan 1999, Jordan K. Hubbard wrote:

> > What we're trying to achieve is an environment where the worst thing
> > someone could do is cause the machine to reboot.
> 
> Then lock the machine in a room.  You're not going to get anywhere
> close to that by changing the boot blocks and flagging it as an issue
> in this case is simply waving a red herring.

It might be nice to have a root-password-required feature for
booting single user, as I believe OpenBSD has, and maybe a "trusted
kernel" path...  With this, disabling booting from other media,
and passwording the BIOS, it would be impossible to crack the
machine without having to open the case. This would usually keep
a machine in open view secure, as people would NOT be expecting
someone to open up the case in <insert location here>. Then again,
a case won't necessarily be a deterrent anyway, but these things
could help.

> 
> - Jordan

 Brian Feldman						  _ __  ___ ___ ___  
 green@unixhelp.org				      _ __ ___ | _ ) __|   \ 
		      http://www.freebsd.org/	 _ __ ___ ____ | _ \__ \ |) |
 FreeBSD: The Power to Serve!		   _ __ ___ ____ _____ |___/___/___/ 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message