Date: Mon, 14 May 2001 21:26:26 -0700 From: dannyman <dannyman@toldme.com> To: Erik Trulsson <ertr1013@student.uu.se> Cc: freebsd-security@FreeBSD.ORG Subject: Re: nfs mounts / su / yp Message-ID: <20010514212626.I53429@dell.dannyland.org> In-Reply-To: <20010515005431.A40399@student.uu.se>; from ertr1013@student.uu.se on Tue, May 15, 2001 at 12:54:31AM %2B0200 References: <3B0015E5.2E1AED1B@centtech.com> <Pine.BSF.4.21.0105141358540.43455-100000@mail.wlcg.com> <20010515002124.A647@dude.dsl.ru.ac.za> <20010515005431.A40399@student.uu.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 15, 2001 at 12:54:31AM +0200, Erik Trulsson wrote: > On Tue, May 15, 2001 at 12:21:24AM +0200, Dominic Parry wrote: > > > > Just a thought, you could in your bios set password and then boot only of > > the hdd. That way no one could boot of a stiffy etc. > > Yes, they could. Assuming they can open the case they could either reset > the BIOS password (almost all mobo have some jumper or similar that can > be used to reset the password), or they could just connect their own hdd > and boot from that. > > It is quite a bit more work and would probably stop those who are merely > driven by idle curiosity. > > Stopping a determined and knowledgeable person who have physical access > to the computer from getting root access ranges from difficult to nearly > impossible. NFS is the problem, IMO. A user could just bring in a laptop, plug it in to Network, munge MAC address, if necessary, and then get the job done. Were I truly uptight I'd allow NFS access only on a physically secured network, and the user can "check out" their files via rsync, or the like. Ugly for a lab environment. In a lab environment I'd just lock the machines down as much as physically possible, which helps discourage the from wandering off, and have supervisory personnel keep tabs who is trying to plug unauthorized equipment in. Maybe provide an isolated, maybe wireless, network for people bringing laptops in. -danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010514212626.I53429>