From owner-freebsd-security Mon May 14 11:30:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 233A837B423 for ; Mon, 14 May 2001 11:30:21 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f4EITTq53367; Mon, 14 May 2001 14:29:29 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Mon, 14 May 2001 14:29:25 -0400 (EDT) From: Rob Simmons To: Craig Cowen Cc: Eric Anderson , "Oulman, Jamie" , freebsd-security@FreeBSD.ORG Subject: Re: nfs mounts / su / yp In-Reply-To: <3B00216B.6D83C12D@allmaui.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 If you use an encrypted filesystem, that is not needed. If you are taking care of a large number of various boxen, you will want to use a solution that is software based. You don't want to rely on BIOS passwords and stuff like that. You can cut open a locked case, you can set the jumper to reset the BIOS, but you will get nowhere booting from floppy if the filesystem is encrypted. Robert Simmons Systems Administrator http://www.wlcg.com/ On Mon, 14 May 2001, Craig Cowen wrote: > how about using a bios passwd and removing the floppy from bios? > > Rob Simmons wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > You could set the console to insecure in /etc/ttys. That way single user > > mode will ask for the root password. You still can't prevent someone from > > booting with their own floppy disk and making changes that way. I think > > the only way to prevent that is to use an encrypted filesystem of some > > sort. > > > > Robert Simmons > > Systems Administrator > > http://www.wlcg.com/ > > > > On Mon, 14 May 2001, Eric Anderson wrote: > > > > > If a user reboots their machine, goes into single user mode, and changes > > > the local root password (and adds their username into the wheel group of > > > course), then boots into multiuser mode, they can su to root, then su to > > > any NIS user they desire, and do malicious things as that user. su'ing > > > from root to any other user never asks for a password, so login.conf > > > isn't used (right?).. > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.5 (FreeBSD) > > Comment: For info see http://www.gnupg.org > > > > iD8DBQE7AB2qv8Bofna59hYRA0ebAKCQ9R1wLoemlWAuEdplqcSMcY12IQCfVH0B > > 8SkJHNs8J3aEYZ8dk27La2k= > > =Qb9E > > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ACQJv8Bofna59hYRA64hAJ9lX9fPXaYKX2Eo+ocK6s3SHHKmKQCfUfq2 hhrN8URrhnM0gwFz3u9TIyk= =wPUA -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message