From owner-freebsd-security Wed Apr 26 08:39:36 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id IAA14337 for security-outgoing; Wed, 26 Apr 1995 08:39:36 -0700 Received: from pluto.ops.NeoSoft.com (root@pluto.ops.NeoSoft.COM [198.64.212.23]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id IAA14330 for ; Wed, 26 Apr 1995 08:39:34 -0700 Received: from metal.ops.neosoft.com (root@glenn-slip41.nmt.edu [129.138.5.141]) by pluto.ops.NeoSoft.com (8.6.10/8.6.10) with ESMTP id KAA00266; Wed, 26 Apr 1995 10:39:30 -0500 Received: (from smace@localhost) by metal.ops.neosoft.com (8.6.11/8.6.10) id JAA01305; Wed, 26 Apr 1995 09:21:21 -0600 From: Scott Mace Message-Id: <199504261521.JAA01305@metal.ops.neosoft.com> Subject: Re: DISKLESS users become root To: clary@elec.uq.oz.au (Clary Harridge) Date: Wed, 26 Apr 1995 09:21:20 -0600 (MDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: <9504260509.AA15058@s1.elec.uq.oz.au> from "Clary Harridge" at Apr 26, 95 03:08:47 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 818 Sender: security-owner@FreeBSD.org Precedence: bulk I think if you make console in /etc/ttys be insecure, it will solve you problem. This is require the root password to go into single user mode. Without this, the console is a very insecure place... Scott > > Users on any DISKLESS client can become root during the boot sequence. > > I have diskless clients booting off a FreeBSD file server and find that > > Pressing CTRLC just after the last NFS mount and before the "autoreboot" > message causes > > init: /bin/sh on /etc/rc terminated abnormally, going to single user mode > Enter pathname of shell or RETURN for sh: > > then > > RETURN gives a root shell. > > The state of the /etc/ttys file is not being checked for whether the > console is secure (or not) and the user is NOT prompted for a root > password. > > Has anyone a cure for this problem?