From owner-freebsd-questions@FreeBSD.ORG Thu Aug 6 18:35:23 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 567CF106566C for ; Thu, 6 Aug 2009 18:35:23 +0000 (UTC) (envelope-from nlandys@gmail.com) Received: from mail-qy0-f191.google.com (mail-qy0-f191.google.com [209.85.221.191]) by mx1.freebsd.org (Postfix) with ESMTP id 132DB8FC1A for ; Thu, 6 Aug 2009 18:35:22 +0000 (UTC) Received: by qyk29 with SMTP id 29so1002383qyk.3 for ; Thu, 06 Aug 2009 11:35:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=Zcei4I5pFdAtR6VFj76GYL+9biF8I4Nc/Ccf2eb4Log=; b=Cb4OEHh332MHFPl4afiIIR0tlZVBE43+r/gmVi8OPajWdQueoOAJfisbjfBesI4gwT 88tCdMbdICvIgA7vNklbSZmQJlMin4IpVNAve931fL9AWrr6TRUBPjGWF3O7yKPHihuc k7kZZUrISnjn8FwOQIUcj/kYlJ3jtfe5+TSbo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=bq9jXd5rygiVVibHApMNZaUPSH6q0W7xQJ4Cb5UofbRuoFOaggRdoXlL+A8LCJh87B nnJuyUvHhpQF8Zl01V+kskZbG1D6X8DM3YNcY5ZtpEH+zSKd/OdovXR9BkgBs7ATepIy QW5zMaZLaI8r0Xthj6CyeGYNJm3XClV05qrKw= MIME-Version: 1.0 Received: by 10.229.100.9 with SMTP id w9mr302413qcn.31.1249583722269; Thu, 06 Aug 2009 11:35:22 -0700 (PDT) Date: Thu, 6 Aug 2009 11:35:22 -0700 Message-ID: <560f92640908061135j41f35bfevcd1476ce9ead38a4@mail.gmail.com> From: Nerius Landys To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Physically securing FreeBSD workstations & /boot/boot2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Aug 2009 18:35:23 -0000 Hi. I am attempting to secure some workstations in such a way that a user would not be able gain full control of the computer (only user access). However, they are able to see and touch the physical workstation. Things I'm trying to avoid, to list a couple of examples: 1. Go to BIOS settings and configure it to boot from CD first, then stick in a CD. To prevent this I've put BIOS to only boot from hard drive and I've password-locked the BIOS. 2. Go to loader menu and load (boot kernel) with some custom parameters or something. I've secured the loader menu by password-protecting it (/boot/loader.conf has password) and /boot/loader.conf is not world-readable. And I'm sure there are other things, I just forgot them. So my question is: Is this [securing of the workstation] worthwhile, or should I just forget about this kind of security? I want to make it so that the only way to gain full control of the computer is by physically opening up the box. I noticed that boot2 brings up a menu like this one when I press space during the initial boot blocks: >> FreeBSD/i386 BOOT Default: 0:ad(0,a)/boot/loader boot: I guess it would be possible to stick in a floppy disk or something and boot from there? So my question is, is this a threat to my plan, and if so, how can I disable this prompt?