Date: Tue, 04 Jul 2000 12:34:55 +1000 From: Andrew Johns <johnsa@kpi.com.au> To: "Dan O'Connor" <dan@mostgraveconcern.com> Cc: freebsd-stable@freebsd.org Subject: Re: securing the boot process (again?!?) Message-ID: <39614D4F.D4DD6469@kpi.com.au> References: <017c01bfe541$98611f40$0200000a@danco>
next in thread | previous in thread | raw e-mail | index | archive | help
Dan O'Connor wrote: > > >I have been trying to secure (a bit) the boot process of a 4.0-STABLE > >machine that is located in a public place. > > > >I need to use the floppy disk, but if I disable it from the BIOS I get > >no access to it under FreeBSD. So I set the boot sequence to "C only" > >but if I press space while the initial hyphen is displayed i get a > >prompt with no password being requested. (Note I have set a password > >in /boot/loader.conf, and set the console to "insecure" in /etc/ttys) > > > >The problem is I can boot any kernel or loader, including a kernel off > >the floppy drive [just type fd(0,a)/evilkernel at the prompt]. From > >there to a setuid(12345) that yields uid=0 (patched kernel, remember?) > >is just a small step. Any ideas for further improvement of the boot > >process security? > > Doesn't your computer have a BIOS password? These are typically invoked > *before* the BIOS tries to boot off any disk... Unfortunately BIOS passwords can be disabled on the motherboard in a matter of minutes (for most motherboards that I know of). Even Dell laptops (don't know about their desktops/servers) have a master password that Dell will give you if you call them, provided you give them some details first. Regards ---------------------\=-_ _-=/ Andrew Johns BSc. \ \==/ / Principal Consultant \ / KPI Logistics Pty Ltd \ / mailto:johnsa@kpi.com.au \ +/ http://www.kpi.com.au \/ How do I set this laser printer to stun? My favourite boot labels: F1 Real OS -> http://www.FreeBSD.org F2 Pretend OS -> http://www.microsoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39614D4F.D4DD6469>