From owner-freebsd-security@FreeBSD.ORG Wed May 16 09:06:02 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C8E7C106564A for ; Wed, 16 May 2012 09:06:02 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 74BD68FC12 for ; Wed, 16 May 2012 09:06:02 +0000 (UTC) Received: by vbmv11 with SMTP id v11so635989vbm.13 for ; Wed, 16 May 2012 02:06:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2KY4xKJo36epvtZolTdLDJHY2XWefbuAJVUrrgpi0uU=; b=PeioM7Lh0nEtNSB/6p4MR6RUCtujLi1x32TYkajFlgT67YD1gRg0Qj1XzyCz1Pxq4G QPNeVXw86E0AIYptlMuVs6uDsyEwd1+vbK33YKQbZsI6Os/oNCNhpZPkABCnMQpHzVrb j0W+Q9kvP+HBgaN6HgV6FqJ1LxUPpjnijLWqcF9vV5RJok/ExvLwFhjXtRVfRk0GCwR4 tYdxzR/ppNRUzZAdfBPYYbH0mGf/HOe69I6Lzve3uXYngGOB+aCCfzCTvOE2k6v73dNv Rd05ICsl2v+zG2NGV4R2O8scYmRiuhXHNQZeP/3UNDOCE1gkWNFWibZeZFxbY4CnBuw8 /lew== MIME-Version: 1.0 Received: by 10.52.90.233 with SMTP id bz9mr264113vdb.93.1337159161586; Wed, 16 May 2012 02:06:01 -0700 (PDT) Received: by 10.52.28.240 with HTTP; Wed, 16 May 2012 02:06:01 -0700 (PDT) In-Reply-To: References: <7439f3d4019914591b036aa45cfd75e7@vahid-shokouhi.net> <40e269c44ec592d0ce3e2d85fd8a032d@vahid-shokouhi.net> Date: Wed, 16 May 2012 10:06:01 +0100 Message-ID: From: Tom Evans To: mahdieh salamat Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org Subject: Re: Single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 09:06:02 -0000 On Tue, May 15, 2012 at 9:40 AM, mahdieh salamat wrote: > Thanks all,I have an other question.certainly you see this message in > startup FreeBSD:"Hit [Enter] to boot immediately, or any other key for > command prompt." > after see it if press any key you enter to an other mode and if you type > '?' you can see the lists of commands.I want to remove this mode,It's so > important that a user can't accss to this mode. > Who can help me? > Thanks > If your users have physical access to the machine then it is difficult to prevent them from booting from alternate media - a USB key, a CD - mounting your disks and changing the root password. Actually, I would add a separate root user (toor2), as the root password changing is somewhat detectable. You can fix boot order in the BIOS, but a BIOS can be reset simply by removing the BIOS battery briefly. In addition to that, many BIOS will also offer a boot menu option - which cannot be disabled - allowing the user to choose which device to boot from without entering the BIOS. Cheers Tom