Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Dec 2001 12:12:27 -0800 (PST)
From:      John Baldwin <jhb@FreeBSD.org>
To:        Nate Williams <nate@yogotech.com>
Cc:        Mike Barcroft <mike@FreeBSD.org>, Mike Silbersack <silby@silby.com>, Alfred Perlstein <bright@mu.org>, mini@haikugeek.com, cvs-all@FreeBSD.org, cvs-committers@FreeBSD.org, Wilko Bulte <wkb@freebie.xs4all.nl>, Paul Richards <paul@freebsd-services.com>
Subject:   Re: cvs commit: src/sys/boot/i386/loader version src/share/examp
Message-ID:  <XFMail.011211121227.jhb@FreeBSD.org>
In-Reply-To: <15382.26187.453320.35053@caddis.yogotech.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On 11-Dec-01 Nate Williams wrote:
>> It has that, but it's simple.  You didn't read my earlier message though
>> where
>> I detailed what we _did_ do for my lab at school.  We didn't use the loader
>> at
>> all, instead we hacked (it was a small hack, and an #ifdef for it could be
>> made) boot2 to not accept user input and to boot the kernel directly.
> 
> FWIW, this is what I did when I setup a lab full of insecure PC's.  I
> simply created a custom boot loader that ignored user input.
> 
> This was the best way I could think of to make the boxes secure.  (That
> and forcing the box to boot from hard-disk first.)
> 
> Since I knew the password, I could change the boot order, then stick in
> a floppy to do recovery.  Yes, it was a pain, but security doesn't come
> w/out costs.

Yep, exactly what we did.  It's a very simple change to boot2 and I could make
it configurable so that one did 'make -DBOOT_BOOT2_SECURE
BOOT_BOOT2_KERNEL="/boot/kernel/kernel"' to make boot2 not accept user input
and load /boot/kernel/kernel instead of /boot/loader if desired.

> Nate

-- 

John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.011211121227.jhb>