From owner-freebsd-questions  Mon Oct 23  8:36:31 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from siafu.iconnect.co.ke (upagraha.iconnect.co.ke [209.198.248.2])
	by hub.freebsd.org (Postfix) with ESMTP id B077F37B479
	for <freebsd-questions@freebsd.org>; Mon, 23 Oct 2000 08:36:25 -0700 (PDT)
Received: from [212.22.163.2] (helo=poeza.iconnect.co.ke)
	by siafu.iconnect.co.ke with esmtp (Exim 2.12 #1)
	id 13njbz-0009kh-00; Mon, 23 Oct 2000 18:34:07 +0300
Received: from wash by poeza.iconnect.co.ke with local (Exim 3.16 #1)
	id 13njeZ-000BBp-00; Mon, 23 Oct 2000 18:36:47 +0300
Date: Mon, 23 Oct 2000 18:36:47 +0300
From: Odhiambo Washington <wash@iconnect.co.ke>
To: Tim McMillen <timcm@umich.edu>
Cc: FBSD-Q <freebsd-questions@freebsd.org>
Subject: Re: secure boot
Message-ID: <20001023183647.L39976@poeza.iconnect.co.ke>
Mail-Followup-To: Odhiambo Washington <wash@iconnect.co.ke>,
	Tim McMillen <timcm@umich.edu>,
	FBSD-Q <freebsd-questions@freebsd.org>
References: <200010231306.PAA69534@gilberto.physik.rwth-aachen.de> <Pine.SOL.4.10.10010230941490.12076-100000@gorf.gpcc.itd.umich.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.SOL.4.10.10010230941490.12076-100000@gorf.gpcc.itd.umich.edu>; 
	from "Tim McMillen" on Mon, Oct 23, 2000 at 09:47:08AM -0400
X-Operating-System: FreeBSD poeza.iconnect.co.ke 3.5-STABLE FreeBSD 3.5-STABLE 
X-Mailer: Mutt http://www.mutt.org/
X-Location: Mombasa, KE, East Africa
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

* Tim McMillen <timcm@umich.edu> [20001023 16:49]:
=>
=>No.  If somebody has physical access to your box they can do anything they
=>want.  Including wiping freebsd off your HD and installing windows.  
=>	For example you can mark the console as insecure so they have to
=>have the superuser password.  But all they have to do is have a boot
=>floppy to get single user mode.  

Hey, just wondered if a boot floppy is really necessary...if they cold
bott and choose single user mode at the prompt...is there a way of
stopping/preventing that??? So that even booting into SUM requires the
root passwd...

=>You could take out the floppy and cdrom
=>drive and allow booting only from the HD.  An attacker could just install
=>those things back.  You can password protect the bios, but taking the
=>battery off of it wipes it out and they can change the bios again.  
=>	There is no substitute for physical security
=>Doing some of the above will help, ie make it more inconvenient to attack
=>the box, but you cannot be absolutely safe.
=>						Tim
=>
=>
=>On Mon, 23 Oct 2000, Christoph Kukulies wrote:
=>
=>> 
=>> Is there a way to make FreeBSD absolutely safe against rebooting
=>> and getting into super user mode, e.g. by interrupting the
=>> boot process, ^C into single user or booting into single user mode?
=>> 
=>> -- 
=>> Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de
=>
=>
=>
=>To Unsubscribe: send mail to majordomo@FreeBSD.org
=>with "unsubscribe freebsd-questions" in the body of the message

-Wash

--
Odhiambo Washington  Inter-Connect Ltd.,
wash@iconnect.co.ke  5th Flr Furaha Plaza
Tel: 254 11 222604   Nkrumah Rd.,
Fax: 254 11 222636   PO Box 83613 MOMBASA, KENYA.

I came, I saw, I deleted all your files. 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message