From owner-freebsd-security Mon Sep 6 22:40:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from pop3-3.enteract.com (pop3-3.enteract.com [207.229.143.32]) by hub.freebsd.org (Postfix) with SMTP id 8AC52155C1 for ; Mon, 6 Sep 1999 22:40:04 -0700 (PDT) (envelope-from dscheidt@tumbolia.com) Received: (qmail 3585 invoked from network); 7 Sep 1999 05:40:04 -0000 Received: from shell-2.enteract.com (dscheidt@207.229.143.41) by pop3-3.enteract.com with SMTP; 7 Sep 1999 05:40:04 -0000 Date: Tue, 7 Sep 1999 00:40:03 -0500 (CDT) From: David Scheidt X-Sender: dscheidt@shell-2.enteract.com To: KATO Takenori Cc: dillon@apollo.backplane.com, gjb-freebsd@gba.oz.au, des@flood.ping.uio.no, bde@zeta.org.au, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel In-Reply-To: <19990907140016E.kato@gneiss.eps.nagoya-u.ac.jp> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 7 Sep 1999, KATO Takenori wrote: > DDB does not provide enough security. Though securelevel cannot be > changed, > > (1) Turn off power. > (2) Boot as single-user mode. Setting the console as insecure should protect against this. > or > > (1) Turn off power. > (2) Remove HDD. > (3) Mount on another FreeBSD box. > (4) Edit a file in the HDD. > (5) Return HDD. > (6) Reboot. > > is available. There isn't a whole lot you can do to protect a system against crackers who have physical access to the system. Heavily armed guards would help, but I don't expect to see them as part of the base distribution anytime soon. David Scheidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message