Date: Tue, 24 Oct 2000 06:09:39 -0500 (CDT) From: Mike Meyer <mwm@mired.org> To: Odhiambo Washington <wash@iconnect.co.ke> Cc: questions@freebsd.org Subject: Re: secure boot Message-ID: <14837.28147.463188.672602@guru.mired.org> In-Reply-To: <95783454@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Odhiambo Washington writes: > * Tim McMillen <timcm@umich.edu> [20001023 16:49]: > =>No. If somebody has physical access to your box they can do anything they > =>want. Including wiping freebsd off your HD and installing windows. > => For example you can mark the console as insecure so they have to > =>have the superuser password. But all they have to do is have a boot > =>floppy to get single user mode. Um - just because they have physical access to the box doesn't mean they can do anything they want. For instance, if it's sitting in a lab with a bunch of other PCs and an employee monitoring the lab whenever it's open, things like opening the box and installing new hardware aren't feasible. > Hey, just wondered if a boot floppy is really necessary...if they cold > bott and choose single user mode at the prompt...is there a way of > stopping/preventing that??? So that even booting into SUM requires the > root passwd... You can protect against the boot floppy. Most modern BIOSes have boot options that force the boot from HD first, and can you can password the BIOS options to prevent that from being changed. So it is possible to arrange the rest of the world so that a single-user boot is the easiest vulnerability to exploit even with physical access to the machine. Under those conditions, wanting to make that harder to exploit is a perfectly reasonable thing to want to do. You can disable single-usr boot mode. Read through the docs on loader(8), loader.conf(5) and loader.4th(8). Having one of them boot instead of defaulting to autoboot would skip the "Hit Enter to ..." step. However, the better solution is to edit /etc/ttys, marking the console as "insecure" instead of "secure". /etc/init will then insist that you correctly enter the root password before giving you a single user shell. <mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14837.28147.463188.672602>