From owner-freebsd-security@FreeBSD.ORG  Tue May 15 11:24:03 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 94DB8106566C
	for <freebsd-security@freebsd.org>;
	Tue, 15 May 2012 11:24:03 +0000 (UTC)
	(envelope-from matt@chronos.org.uk)
Received: from chronos.org.uk (chronos-pt.tunnel.tserv5.lon1.ipv6.he.net
	[IPv6:2001:470:1f08:12b::2])
	by mx1.freebsd.org (Postfix) with ESMTP id DE70A8FC0A
	for <freebsd-security@freebsd.org>;
	Tue, 15 May 2012 11:24:02 +0000 (UTC)
Received: from workstation1.localnet (workstation1.local.chronos.org.uk
	[IPv6:2001:470:1f09:12b::20]) (authenticated bits=0)
	by chronos.org.uk (8.14.5/8.14.5) with ESMTP id q4FBNxdv074947
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-security@freebsd.org>;
	Tue, 15 May 2012 12:23:59 +0100 (BST)
	(envelope-from matt@chronos.org.uk)
X-DKIM: OpenDKIM Filter v2.5.2 chronos.org.uk q4FBNxdv074947
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=chronos.org.uk;
	s=mail; t=1337081039;
	bh=Mlams959is2uGciVHFuW2fst0KxGef3xX34PrIyOgMs=;
	h=From:To:Subject:Date:References:In-Reply-To;
	b=kuYXwcXUCbuP8wVYrwurjEc4SE+wmsnro+pphKUsvW5wZNVwn6UtqkAWQGewjGbp6
	UdtVtoNxsRR0jB952d3WenshqlSCmOU/ZakcqU4V7WJxcV+xOLC/5VPz/W2a7/JDn2
	V0g9Y4sN0zARwp1D5hk7l53i5nLc0IjSH1xA1dTo=
From: Matt Dawson <matt@chronos.org.uk>
To: freebsd-security@freebsd.org
Date: Tue, 15 May 2012 12:23:56 +0100
User-Agent: KMail/1.13.7 (FreeBSD/9.0-RELEASE; KDE/4.7.4; amd64; ; )
References: <CAL5m1BsnURTXsZJEkF9sR-3wsVRHkOto-CuCSuJCgH2yivNGPg@mail.gmail.com>
	<CAL5m1BtpNomf8qUONOHf2i-jPyRrPK7ZRvH3nsePStZuEQ_UmQ@mail.gmail.com>
	<498a30cb02045f5cc24747b535581a61@vahid-shokouhi.net>
In-Reply-To: <498a30cb02045f5cc24747b535581a61@vahid-shokouhi.net>
X-Face: -a*{KS?gYyH>pt=1?H+(>B2Z'>b6Wx<nttqISnK3]DV8-f*5\dE0ui{)KaSH!((QYyD@
	=?utf-8?q?=7C-Y=0A?=
	B73%!ur~>X:^O@+VaMV>l\tOh@[x`#&AHSdl`m<-EEhk=1%t9iRthI|;
	~8)mN@qxJ}x5l:zhDO( =?utf-8?q?=2Eas=0A?=
	NeO!\oL7huHfsoF'I5,0G+Yo[G-G"FG,l`QJ$IgwH/[\a]vRH^'=`; cY+*_{Or`
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201205151223.58643.matt@chronos.org.uk>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
	(chronos.org.uk [IPv6:2001:470:1f09:12b::1]);
	Tue, 15 May 2012 12:23:59 +0100 (BST)
X-Spam-Status: No, score=-99.6 required=3.0 tests=BAYES_00, DATE_IN_FUTURE_96_Q,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_PASS,T_RP_MATCHES_RCVD,
	USER_IN_WHITELIST autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	central.local.chronos.org.uk
Subject: Re: Fwd: Single user mode
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2012 11:24:03 -0000

On Tuesday 15 May 2012 10:53:16 Vahid Shokouhi wrote:
> note that running command(s) in this mode result in temporary
> changes only in THIS boot; which means you can remove/undo changes
> by rebooting your machine.

Utter tosh. After (re)mounting you have as much access to the local 
filesystems as you would from a root prompt and such configuration 
changes are permanent.

Rule 1 of security applies whatever OS you're running: If someone else 
can access your system then it's not your system any more. Physical 
security can be as important as electronic. If you're worried about 
local opportunists messing about with your systems:

1) Password protect the boot in the NVRAM so that even a power cycle/ 
hard reset disables opportunistic access;
2) Disable the three fingered salute reboot in syscons (options         
SC_DISABLE_REBOOT in the kernconf);
3) Set the console as insecure;
4) Disable dropping to loader in the beastie menu;
5) Lock the damned door.

None of this is foolproof: 1 can be overridden by clearing the NVRAM 
with the good old Mk1 shorting jumper, 2 is defeated by a hard reset, 
3/4 can be defeated by using a live system that can read UFS (frenzy 
spings to mind) and 5 with a prybar. If you need that level of 
security, geli full FS encryption is your only option. If someone 
*really* wants in and has access to the machine you'll have a hard 
time keeping him out.

You may also want "Beware of the leopard" on the machine room door 
along with a hungry rottweiler (if you're concerned with accuracy of 
signage, paint him) and a few bored gorillas in security suits.

Alternatively, disguise the server as a crippled old 386 with a couple 
of 7segs on the front panel displaying "25" and the turbo LED on in a 
dusty corner with an old EPROM burner on the desk and a few 2732s 
scattered about - nobody is going to pay that dinosaur any attention 
whatsoever.
-- 
Matt Dawson
GW0VNR
MTD15-RIPE