Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 14 May 2001 14:09:02 -0400 (EDT)
From:      Mikhail Kruk <meshko@cs.brandeis.edu>
To:        Rob Simmons <rsimmons@wlcg.com>
Cc:        Eric Anderson <anderson@centtech.com>, "Oulman, Jamie" <JOulman@iphrase.com>, <freebsd-security@FreeBSD.ORG>
Subject:   Re: nfs mounts / su / yp
Message-ID:  <Pine.LNX.4.33.0105141406440.30117-100000@daedalus.cs.brandeis.edu>
In-Reply-To: <Pine.BSF.4.21.0105141358540.43455-100000@mail.wlcg.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Well, you can disable booting from floppy, setup BIOS password and
physically lock the case. We have a bunch of Linux boxes running NIS in
our lab with this kind of setup and I believe there was no problems.
It's rather hard to break in the locked computer case without people
noticing it.

On Mon, 14 May 2001, Rob Simmons wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> You could set the console to insecure in /etc/ttys.  That way single user
> mode will ask for the root password.  You still can't prevent someone from
> booting with their own floppy disk and making changes that way.  I think
> the only way to prevent that is to use an encrypted filesystem of some
> sort.
>
> Robert Simmons
> Systems Administrator
> http://www.wlcg.com/
>
> On Mon, 14 May 2001, Eric Anderson wrote:
>
> > If a user reboots their machine, goes into single user mode, and changes
> > the local root password (and adds their username into the wheel group of
> > course), then boots into multiuser mode, they can su to root, then su to
> > any NIS user they desire, and do malicious things as that user.  su'ing
> > from root to any other user never asks for a password, so login.conf
> > isn't used (right?)..
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.5 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7AB2qv8Bofna59hYRA0ebAKCQ9R1wLoemlWAuEdplqcSMcY12IQCfVH0B
> 8SkJHNs8J3aEYZ8dk27La2k=
> =Qb9E
> -----END PGP SIGNATURE-----
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0105141406440.30117-100000>