Date: Tue, 15 May 2012 12:23:56 +0100 From: Matt Dawson <matt@chronos.org.uk> To: freebsd-security@freebsd.org Subject: Re: Fwd: Single user mode Message-ID: <201205151223.58643.matt@chronos.org.uk> In-Reply-To: <498a30cb02045f5cc24747b535581a61@vahid-shokouhi.net> References: <CAL5m1BsnURTXsZJEkF9sR-3wsVRHkOto-CuCSuJCgH2yivNGPg@mail.gmail.com> <CAL5m1BtpNomf8qUONOHf2i-jPyRrPK7ZRvH3nsePStZuEQ_UmQ@mail.gmail.com> <498a30cb02045f5cc24747b535581a61@vahid-shokouhi.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 15 May 2012 10:53:16 Vahid Shokouhi wrote: > note that running command(s) in this mode result in temporary > changes only in THIS boot; which means you can remove/undo changes > by rebooting your machine. Utter tosh. After (re)mounting you have as much access to the local filesystems as you would from a root prompt and such configuration changes are permanent. Rule 1 of security applies whatever OS you're running: If someone else can access your system then it's not your system any more. Physical security can be as important as electronic. If you're worried about local opportunists messing about with your systems: 1) Password protect the boot in the NVRAM so that even a power cycle/ hard reset disables opportunistic access; 2) Disable the three fingered salute reboot in syscons (options SC_DISABLE_REBOOT in the kernconf); 3) Set the console as insecure; 4) Disable dropping to loader in the beastie menu; 5) Lock the damned door. None of this is foolproof: 1 can be overridden by clearing the NVRAM with the good old Mk1 shorting jumper, 2 is defeated by a hard reset, 3/4 can be defeated by using a live system that can read UFS (frenzy spings to mind) and 5 with a prybar. If you need that level of security, geli full FS encryption is your only option. If someone *really* wants in and has access to the machine you'll have a hard time keeping him out. You may also want "Beware of the leopard" on the machine room door along with a hungry rottweiler (if you're concerned with accuracy of signage, paint him) and a few bored gorillas in security suits. Alternatively, disguise the server as a crippled old 386 with a couple of 7segs on the front panel displaying "25" and the turbo LED on in a dusty corner with an old EPROM burner on the desk and a few 2732s scattered about - nobody is going to pay that dinosaur any attention whatsoever. -- Matt Dawson GW0VNR MTD15-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201205151223.58643.matt>