From owner-freebsd-questions Fri Apr 27 17:24:43 2001 Delivered-To: freebsd-questions@freebsd.org Received: from Ion.var.cx (e166066.upc-e.chello.nl [213.93.166.66]) by hub.freebsd.org (Postfix) with ESMTP id C7C0737B423 for ; Fri, 27 Apr 2001 17:24:39 -0700 (PDT) (envelope-from fvw@var.cx) Received: from Hypnos.var.cx (IDENT:root@hypnos [192.168.0.2]) by Ion.var.cx (8.9.3/8.9.3) with ESMTP id CAA04956 for ; Sat, 28 Apr 2001 02:24:39 +0200 Received: (from fvw@localhost) by Hypnos.var.cx (8.9.3/8.9.3) id CAA01568 for freebsd-questions@FreeBSD.ORG; Sat, 28 Apr 2001 02:24:39 +0200 Date: Sat, 28 Apr 2001 02:24:39 +0200 From: Frank v Waveren To: freebsd-questions@FreeBSD.ORG Subject: securing the bootup sequence Message-ID: <20010428022439.A1449@var.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm trying to secure the bootup sequence of a 4.3-release install. With a linux install (the box's previous install) this is quite easy, just set the bios to disallow boot from floppy, and give lilo the password= and 'restricted' options. With that configuration, there is no way to get access to an account on the box without physically opening it. However, trying to do this with FreeBSD proves a lot harder. Since I have two IDE drives, boot0 gives the F? list of drives, from which you can select the drive without the kernel on it, which can bring the boot process to a halt, which isn't nice, but isn't terrible either. boot2 is a lot more annoying however. Even if it doesn't show it's prompt by default, pressing space when you get the first '-' will bring up the prompt. From here, you can load an arbitrary replacement for /boot/loader, either previously stored in a users homedir or from floppy. I can't find any way short of hacking the code of stopping boot2 from doing this. The next part of the entertainment is /boot/loader. According to all the docu, having a set password=foo and check-password in /boot/loader.rc should get you a password prompt if you do anything apart from allowing the autoboot to continue. However, the password prompt doesn't appear for me, whatever I tried.. :-(. I have found one discussion from a while back on this topic on deja.com, however I didn't find any useful answers apart from "there's no such thing as security if the attacker has physical access", but I'm not trying to protect against physical access here, just console access. TIA! -- Frank v Waveren Fingerprint: 0EDB 8787 fvw@[var.cx|dse.nl|stack.nl|chello.nl] ICQ#10074100 09B9 6EF5 6425 B855 Public key: http://www.var.cx/pubkey/fvw@var.cx-gpg 7179 3036 E136 B85D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message