From owner-freebsd-security  Tue Dec  3 07:35:53 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA21386
          for security-outgoing; Tue, 3 Dec 1996 07:35:53 -0800 (PST)
Received: from bacall.lodgenet.com (bacall.lodgenet.com [205.138.147.242])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA21377
          for <freebsd-security@FreeBSD.org>; Tue, 3 Dec 1996 07:35:45 -0800 (PST)
Received: (from mail@localhost) by bacall.lodgenet.com (8.6.12/8.6.12) id JAA10580; Tue, 3 Dec 1996 09:35:12 -0600
Received: from garbo.lodgenet.com(204.124.123.250) by bacall via smap (V1.3)
	id sma010575; Tue Dec  3 09:35:07 1996
Received: from jake.lodgenet.com (jake.lodgenet.com [10.0.11.30]) by garbo.lodgenet.com (8.6.12/8.6.9) with ESMTP id JAA01126; Tue, 3 Dec 1996 09:35:13 -0600
Received: from jake.lodgenet.com (localhost [127.0.0.1]) by jake.lodgenet.com (8.8.3/8.6.12) with ESMTP id JAA26706; Tue, 3 Dec 1996 09:35:20 -0600 (CST)
Message-Id: <199612031535.JAA26706@jake.lodgenet.com>
X-Mailer: exmh version 1.6.9 8/22/96
To: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
cc: Joe Diehl <joed@telecom.ksu.edu>, freebsd-security@FreeBSD.org
Subject: Re: Securing the freebsd boot process 
In-reply-to: Your message of "Tue, 03 Dec 1996 12:08:14 +1100."
             <Pine.BSF.3.91.961203115014.1605o-100000@panda.hilink.com.au> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 03 Dec 1996 09:35:20 -0600
From: "Eric L. Hernes" <erich@lodgenet.com>
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

"Daniel O'Callaghan" writes:
>
>
>On Mon, 2 Dec 1996, Joe Diehl wrote:
>
>> Is there anyway to increase the security of a FreeBSD machine at boot
>> time?  The two points of concern are booting into single user mode
>> without a password, 
>
>This is solved partially by removing the 'secure' keyword from 'console' 
>in /etc/ttys.  That will force init to require the root password before
>starting a shell, if the system is booted in single-user mode.
>'kill -HUP 1' after editing /etc/ttys.
>
>> and hitting Ctrl-C repeatedly while /etc/rc is 
>> executing.  Naturally, either of the two will drop the machine to a
>> root shell.
>
>Not sure about this.  Perhaps someone else can explain the 'trap' section 
>of sh(1) more clearly than sh.1 does  (see the 'trap' statements at the 
>start of /etc/rc)
>

I haven't tried, but you probably could put something like "stty intr '^-'"
as one of the first lines in /etc/rc, to disable ^c.  Or better yet,
you could do the equivalent setctty() in init.c


>Danny
>
>

eric.
-- 
erich@lodgenet.com
http://rrnet.com/~erich erich@rrnet.com