From owner-freebsd-security Mon Jul 3 15:54:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id 0B3B937B72D for ; Mon, 3 Jul 2000 15:54:24 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.0.0.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id PAA38477; Mon, 3 Jul 2000 15:54:07 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Message-ID: <017c01bfe541$98611f40$0200000a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: , Subject: Re: securing the boot process (again?!?) Date: Mon, 3 Jul 2000 15:54:07 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I have been trying to secure (a bit) the boot process of a 4.0-STABLE >machine that is located in a public place. > >I need to use the floppy disk, but if I disable it from the BIOS I get >no access to it under FreeBSD. So I set the boot sequence to "C only" >but if I press space while the initial hyphen is displayed i get a >prompt with no password being requested. (Note I have set a password >in /boot/loader.conf, and set the console to "insecure" in /etc/ttys) > >The problem is I can boot any kernel or loader, including a kernel off >the floppy drive [just type fd(0,a)/evilkernel at the prompt]. From >there to a setuid(12345) that yields uid=0 (patched kernel, remember?) >is just a small step. Any ideas for further improvement of the boot >process security? Doesn't your computer have a BIOS password? These are typically invoked *before* the BIOS tries to boot off any disk... --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message