From owner-freebsd-questions  Wed Dec  9 09:27:33 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA04690
          for freebsd-questions-outgoing; Wed, 9 Dec 1998 09:27:33 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from insomnia.local.net (tcs2-43.netwalk.net [206.175.52.107])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA04685
          for <questions@FreeBSD.ORG>; Wed, 9 Dec 1998 09:27:30 -0800 (PST)
          (envelope-from jmutter@netwalk.com)
Received: from localhost (jmutter@localhost)
	by insomnia.local.net (8.8.8/8.8.8) with ESMTP id MAA05587;
	Wed, 9 Dec 1998 12:27:25 -0500 (EST)
	(envelope-from jmutter@netwalk.com)
X-Authentication-Warning: insomnia.local.net: jmutter owned process doing -bs
Date: Wed, 9 Dec 1998 12:27:25 -0500 (EST)
From: "James A. Mutter" <jmutter@netwalk.com>
Reply-To: jm7996@devrycols.edu
To: Michael Borowiec <mikebo@Mcs.Net>
cc: questions@FreeBSD.ORG
Subject: Re: Securing the FreeBSD console
In-Reply-To: <199812090624.AAA12484@Mars.mcs.net>
Message-ID: <Pine.BSF.4.05.9812091221450.5578-100000@insomnia.local.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> Greetings -
> Just when I think I've got my FreeBSD console relatively secure with
> xlock, someone else shows up with a new key combination to easily
> circumvent it...
> 
> To prevent people from killing your X-Server with Ctrl-Alt-Backspace
> requires a simple mod to /etc/XF86Config - NoZap. Covered...
> 
> To prevent rebooting your server with a Ctrl-Alt-Del requires
> a kernel config change. Where is this documented?

Last I checked that was documented in the LINT kernel.  Not hard to find.

> 
> Xlock is useless with the sc0 console driver, since typing Ctrl-Alt-F1
> breaks out of graphics mode, back to the virtual terminal. Then one simply
> does a Ctrl-C and they're in... How can this be disabled?

startx && logout - Has always worked for me. 

> Anyone know of any other knuckle-head methods to break xlock?
> (besides pulling the power cord out ;v)
> 
> Anyone know why FreeBSD ships with all these security holes enabled by
> default? I checked the FreeBSD Security web page, and there was no mention
> of any of these "features", or how to plug them. (Did I miss something?)

Most of the problems/situations you have mentioned are with XFree86 and
_not_ FreeBSD - you may want to take this up with them.

> 
> Any pointers would be welcome. Thanks!
> Regards,

Physical security, without it nothing is secure.  Any PC is vulnerable if
I have a boot floppy.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message