Date: Mon, 10 Dec 2001 23:51:32 -0800 (PST) From: John Baldwin <jhb@FreeBSD.org> To: Paul Richards <paul@freebsd-services.com> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, mini@haikugeek.com, Alfred Perlstein <bright@mu.org>, Mike Silbersack <silby@silby.com>, Mike Barcroft <mike@FreeBSD.org> Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp Message-ID: <XFMail.011210235132.jhb@FreeBSD.org> In-Reply-To: <616630000.1008044969@lobster.originative.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11-Dec-01 Paul Richards wrote: > --On Monday, December 10, 2001 22:18:36 -0500 Mike Barcroft > <mike@FreeBSD.org> wrote: > >> Mike Silbersack <silby@silby.com> writes: >>> On Mon, 10 Dec 2001, Alfred Perlstein wrote: >>> >>> > > All these loader commits make it possible to overwrite the existing >>> > contents of > a file on a UFS filesystem. >>> > >>> > Yay! One "cool" feaure at least from a security standpoint would >>> > be adding a write once variable to turn this off so that one can't >>> > use loader to smash /etc/passwd. >>> > >>> > John, or Jonathan... ? any plans on giving this a shot? >>> > >>> > -Alfred >>> >>> Hm, I wonder if write enabling should even be compiled into the loader by >>> default - I think you're correct in suspecting that changing /etc/passwd >>> will be the primary use of this feature. :| >> >> Why would someone use this feature to write to the password file, when >> they can just boot into single user mode and use their favourite >> editor? > > You need the superuser password to get to single user if the console is > secure. The loader can be used to circumvent that now. As someone else has noted, setting your init path to /tmp/mybinary opens your machine up to root rather trivially, and that doesn't require write access. Note that we don't prevent doing 'more /etc/master.passwd' with which one can then run crack against the root password or some other utility. The assumption has always been that you can't really prevent root if the user has console access to the loader. If you want a secure box, hack boot2 to not accept input (so alternate loaders can't be loaded), change it to load a kernel instead of the loader, and compile your hints statically into your kernel. -- John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.011210235132.jhb>