From owner-freebsd-questions@FreeBSD.ORG Sat Jul 26 20:25:37 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA040106567A for ; Sat, 26 Jul 2008 20:25:37 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr7.xs4all.nl (smtp-vbr7.xs4all.nl [194.109.24.27]) by mx1.freebsd.org (Postfix) with ESMTP id 4BCEE8FC1C for ; Sat, 26 Jul 2008 20:25:36 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr7.xs4all.nl (8.13.8/8.13.8) with ESMTP id m6QKPSFg043792; Sat, 26 Jul 2008 22:25:29 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 72BE4BAA0; Sat, 26 Jul 2008 22:25:28 +0200 (CEST) Date: Sat, 26 Jul 2008 22:25:28 +0200 From: Roland Smith To: Polytropon Message-ID: <20080726202528.GB19534@slackbox.xs4all.nl> References: <3176.84.18.27.248.1217093483.squirrel@mail.dsa.es> <20080726215853.166d6840.freebsd@edvax.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BwCQnh7xodEAoBMC" Content-Disposition: inline In-Reply-To: <20080726215853.166d6840.freebsd@edvax.de> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.18 (2008-05-17) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-questions@freebsd.org Subject: Re: Root boot/mount Password? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2008 20:25:37 -0000 --BwCQnh7xodEAoBMC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 26, 2008 at 09:58:53PM +0200, Polytropon wrote: > > What I want is that if the system is rebooted or shutdown, somebody must > > enter a password to boot and/or mounting "/" >=20 > Next to the usual means of access control (no automated login, no > users without password), there would be an option to boot the system > in single user mode first. Your /etc/ttys would contain "insecure" > in the 5th field so nobody would get into the shell without the > root password. Then, fsck and mount -a, followed by "exit" or Ctrl-D > would be neccessary to boot the system into multi user mode. To > boot your system into SUM, I think /boot/loader.conf must contain > the line ,,boot_single=3D"YES"''. Assuming physical access to the machine, this can be easily circumvented by booting from a FreeBSD CD.=20 Of yourse you can disable booting from CD in the BIOS, and guard that with a password. But that is usually easy to wipe by shorting a jumper on the motherboard. It just depends on the amount of time and knowledge that the attacker has. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --BwCQnh7xodEAoBMC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkiLiDgACgkQEnfvsMMhpyVeNQCfYSVSNJqunnoMWzgqhhCN7UJc wgEAn2VY/6zBhLYFl52zy9zUXZWkFeov =iN30 -----END PGP SIGNATURE----- --BwCQnh7xodEAoBMC--