Date: Wed, 12 Apr 1995 10:51:21 -0700 (PDT) From: "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com> To: davew@sees.bangor.ac.uk (Mr D Whitehead) Cc: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Security Problem? Message-ID: <199504121751.KAA07234@gndrsh.aac.dev.com> In-Reply-To: <9326.9504121533@sol.sees.bangor.ac.uk> from "Mr D Whitehead" at Apr 12, 95 04:33:28 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hi, > First the compliments - great job so far. > > Now the problem. I have been using FreeBSD (2.0R) at home (without > any problems) and also evaluating it for use at work. One ancient and major > problem seems to exist (unless I have missed something or it has already been > altered) and that is the reboot to single user. No password, nothing, just a > root shell to do with as you wish. OK I know its not a problem at home - but > just imagine the fun all our undergraduates would have with this if we put a > machine in a public area (the current suggestion is for 50). > > We would really like to replace our ageing Sun SLC's but are seriously > worried about the above problem - any comments? As has already been pointed out in other mail tweak /etc/ttys. But this still leaves a very nasty hole you need to plug. You will have to remove the floppy drive from all machines, otherwise a person can just download a FreeBSD boot floppy and boot single user from it, mount the hard disk, splat the passwd file or the ttys file and then reboot from the hard disk. Some BOIS allow you to set the boot sequecne to C:, A:, if yours do, this is another way around the floppy problem. Set it to C:, A:, and then password protect the BIOS so the user can't change it back. Since C: should always have a valid boot partition on it there is no way for them to boot from floppy, but they can still use the floppy for normal things. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Custom computers for FreeBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504121751.KAA07234>