From owner-freebsd-questions Mon Jun 12 3: 4:45 2000 Delivered-To: freebsd-questions@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 0498437CA33 for ; Mon, 12 Jun 2000 03:04:32 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 18044 invoked by uid 666); 12 Jun 2000 10:04:18 -0000 Date: Mon, 12 Jun 2000 13:04:18 +0300 From: Alexandru Popa To: freebsd-questions@freebsd.org Cc: razor@ldc.ro Subject: Securing bootup procedure on a public physical access machine Message-ID: <20000612130418.A18033@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Is it possible to "secure" the bootup procedure so that a computer that is located in a public place cannot be "rooted" by just specifying single-user mode bootup? I am using FreeBSD 4.0-RELEASE (I will update to -stable soon), on an entirely-FreeBSD disk (no fdisk type partitions, aka "dangerously dedicated"). I know about the password mechanism in /boot/, but as I understand the three-phase bootup procedure, it is possible to convnice first the MBR block to boot from a floppy, then the boot manager, or it is possible to fool the second-stage boot manager to load another third-stage boot manager. Please correct me if I am wrong, or give suggestions so I can trust that machine. Note that I am not subscribed to -questions, so please cc me on the answer. Thanks a lot, Alex. ------------+------------------------------------------ Alex Popa, |There never was a good war or a bad peace razor@ldc.ro| -- B. Franklin ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message