From owner-freebsd-questions  Mon Oct 23  6:47:12 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from donkeykong.gpcc.itd.umich.edu (donkeykong.gpcc.itd.umich.edu [141.211.2.163])
	by hub.freebsd.org (Postfix) with ESMTP id 4855637B479
	for <questions@FreeBSD.ORG>; Mon, 23 Oct 2000 06:47:10 -0700 (PDT)
Received: from gorf.gpcc.itd.umich.edu (smtp@gorf.gpcc.itd.umich.edu [141.211.2.147])
        by donkeykong.gpcc.itd.umich.edu (8.8.8/4.3-mailhub) with ESMTP id JAA28598; Mon, 23 Oct 2000 09:47:09 -0400 (EDT)
Received: from localhost (timcm@localhost)
	by gorf.gpcc.itd.umich.edu (8.8.8/5.1-client) with ESMTP id JAA13763; Mon, 23 Oct 2000 09:47:08 -0400 (EDT)
Date: Mon, 23 Oct 2000 09:47:08 -0400 (EDT)
From: Tim McMillen <timcm@umich.edu>
X-Sender: timcm@gorf.gpcc.itd.umich.edu
To: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>
Cc: questions@FreeBSD.ORG
Subject: Re: secure boot
In-Reply-To: <200010231306.PAA69534@gilberto.physik.rwth-aachen.de>
Message-ID: <Pine.SOL.4.10.10010230941490.12076-100000@gorf.gpcc.itd.umich.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


No.  If somebody has physical access to your box they can do anything they
want.  Including wiping freebsd off your HD and installing windows.  
	For example you can mark the console as insecure so they have to
have the superuser password.  But all they have to do is have a boot
floppy to get single user mode.  You could take out the floppy and cdrom
drive and allow booting only from the HD.  An attacker could just install
those things back.  You can password protect the bios, but taking the
battery off of it wipes it out and they can change the bios again.  
	There is no substitute for physical security
Doing some of the above will help, ie make it more inconvenient to attack
the box, but you cannot be absolutely safe.
						Tim


On Mon, 23 Oct 2000, Christoph Kukulies wrote:

> 
> Is there a way to make FreeBSD absolutely safe against rebooting
> and getting into super user mode, e.g. by interrupting the
> boot process, ^C into single user or booting into single user mode?
> 
> -- 
> Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message