From owner-freebsd-security  Mon May 14 11: 9:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179])
	by hub.freebsd.org (Postfix) with ESMTP id 41F9E37B423
	for <freebsd-security@FreeBSD.ORG>; Mon, 14 May 2001 11:09:18 -0700 (PDT)
	(envelope-from meshko@daedalus.cs.brandeis.edu)
Received: from localhost (meshko@localhost)
	by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id OAA30982;
	Mon, 14 May 2001 14:09:02 -0400
Date: Mon, 14 May 2001 14:09:02 -0400 (EDT)
From: Mikhail Kruk <meshko@cs.brandeis.edu>
To: Rob Simmons <rsimmons@wlcg.com>
Cc: Eric Anderson <anderson@centtech.com>,
	"Oulman, Jamie" <JOulman@iphrase.com>, <freebsd-security@FreeBSD.ORG>
Subject: Re: nfs mounts / su / yp
In-Reply-To: <Pine.BSF.4.21.0105141358540.43455-100000@mail.wlcg.com>
Message-ID: <Pine.LNX.4.33.0105141406440.30117-100000@daedalus.cs.brandeis.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Well, you can disable booting from floppy, setup BIOS password and
physically lock the case. We have a bunch of Linux boxes running NIS in
our lab with this kind of setup and I believe there was no problems.
It's rather hard to break in the locked computer case without people
noticing it.

On Mon, 14 May 2001, Rob Simmons wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> You could set the console to insecure in /etc/ttys.  That way single user
> mode will ask for the root password.  You still can't prevent someone from
> booting with their own floppy disk and making changes that way.  I think
> the only way to prevent that is to use an encrypted filesystem of some
> sort.
>
> Robert Simmons
> Systems Administrator
> http://www.wlcg.com/
>
> On Mon, 14 May 2001, Eric Anderson wrote:
>
> > If a user reboots their machine, goes into single user mode, and changes
> > the local root password (and adds their username into the wheel group of
> > course), then boots into multiuser mode, they can su to root, then su to
> > any NIS user they desire, and do malicious things as that user.  su'ing
> > from root to any other user never asks for a password, so login.conf
> > isn't used (right?)..
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.5 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7AB2qv8Bofna59hYRA0ebAKCQ9R1wLoemlWAuEdplqcSMcY12IQCfVH0B
> 8SkJHNs8J3aEYZ8dk27La2k=
> =Qb9E
> -----END PGP SIGNATURE-----
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message