From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 06:57:38 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B834F16A4CE for ; Fri, 5 Dec 2003 06:57:38 -0800 (PST) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B47E43FBF for ; Fri, 5 Dec 2003 06:57:34 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) hB5EvMKU097555 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 5 Dec 2003 14:57:23 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id hB5EvKPt097548; Fri, 5 Dec 2003 14:57:20 GMT (envelope-from matthew) Date: Fri, 5 Dec 2003 14:57:20 +0000 From: Matthew Seaman To: Lowell Gilbert Message-ID: <20031205145719.GB96968@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Lowell Gilbert , freebsd-questions@freebsd.org References: <20031204141547.T598@genisis> <44llpr1i8a.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CdrF4e02JqNVZeln" Content-Disposition: inline In-Reply-To: <44llpr1i8a.fsf@be-well.ilk.org> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: protecting loader X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2003 14:57:38 -0000 --CdrF4e02JqNVZeln Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 05, 2003 at 08:56:05AM -0500, Lowell Gilbert wrote: > Dru writes: > > Is there a way to prevent a user from bypassing loader and > > loading/unloading stuff at the OK prompt? (other than physical security > > measures) =20 > I don't know, but I don't think it will help much. It would still be > possible to come up in singler-user mode, which let the user bypass > anything you set up anyway. Getting access to the loader prompt gives you rather more power than just single user mode. An attacker can boot their own kernel -- either from removable media or over the net -- can load their own kernel modules into your regular kernel -- how about a module that traps all of the keystrokes on each tty/pty: passwords would be a dime a dozen -- and all sorts of other hijinks. Single user mode can be protected by setting the console status to insecure in /etc/ttys -- which will require that the root password is given for access. That protection is trivially bypassed with a fixit disk and access to the loader/boot prompt. The only other possible protection is to set a BIOS password, but that means the machine will not re-boot unattended. If you want to allow free access to a machine in a public place, then to prevent people taking it over you need to: i) Physically prevent them from using their own removable media -- floppy, CD and DVD drives either have to be removed, or secured by lock and key[1]. ii) USB and other ports must be inaccessible -- can't get round the protections by installing your own hardware. iii) Must not use the local keyboard/mouse/video card for the system console -- making the serial port carry the console is a good idea, especially if you can arrange for a secured console server. The public absolutely has to be prevented from accessing the system console. Even so, while you can redirect the system console from within FreeBSD, you can't do similarly with the BIOS setup screens. For that you need something like a RealWeasel card.=20 Setting up an automatic login on the publically accessible terminal -- so that the attacker cannot access the Login: prompt is a good idea. Making that auto-login run a restricted software environment under a non-privileged UID -- usually some sort of menu system or web-based interface which restricts what the user may do to a small subset of commands would be a good idea. As would booting from read-only media -- not having a writable hard drive in a machine does cramp the style of most attackers. Cheers, Matthew [1] If you need access to these devices while running -- say you're setting up a kiosk system where you can record music tracks onto CD-RW -- then it should be possible to disable the devices in the BIOS, so the system will ignore them at boot time, but let the usual boot-time hardware probe find them so that they're available at run time. Of course, in this scenario, you'll have to prevent any attacker getting access to the BIOS setup, which is very difficult on a standard PC system. --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --CdrF4e02JqNVZeln Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/0JzPdtESqEQa7a0RAjebAJ4s5H4Qxbk3zK1toG8C+5c1iRMO7ACfeAzh +cs/Bq3esy0WynJMOEt5GP4= =FgEj -----END PGP SIGNATURE----- --CdrF4e02JqNVZeln--