From owner-freebsd-questions  Tue Dec  8 23:27:55 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA14030
          for freebsd-questions-outgoing; Tue, 8 Dec 1998 23:27:55 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from orcrist.mediacity.com (orcrist.mediacity.com [208.138.36.146])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA14024
          for <questions@FreeBSD.ORG>; Tue, 8 Dec 1998 23:27:54 -0800 (PST)
          (envelope-from gsutter@orcrist.mediacity.com)
Received: (from gsutter@localhost)
	by orcrist.mediacity.com (8.8.8/8.8.8) id XAA04135;
	Tue, 8 Dec 1998 23:27:40 -0800 (PST)
	(envelope-from gsutter)
Message-ID: <19981208232740.B4021@orcrist.mediacity.com>
Date: Tue, 8 Dec 1998 23:27:40 -0800
From: Gregory Sutter <gsutter@pobox.com>
To: Michael Borowiec <mikebo@Mcs.Net>, questions@FreeBSD.ORG
Subject: Re: Securing the FreeBSD console
References: <199812090624.AAA12484@Mars.mcs.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199812090624.AAA12484@Mars.mcs.net>; from Michael Borowiec on Wed, Dec 09, 1998 at 12:24:05AM -0600
Organization: Zer0
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Dec 09, 1998 at 12:24:05AM -0600, Michael Borowiec wrote:
> 
> To prevent rebooting your server with a Ctrl-Alt-Del requires
> a kernel config change. Where is this documented?

In the LINT file, /sys/i386/conf/LINT, under the syscons section, you
can see options SC_DISABLE_REBOOT.  
 
> Xlock is useless with the sc0 console driver, since typing Ctrl-Alt-F1
> breaks out of graphics mode, back to the virtual terminal. Then one simply
> does a Ctrl-C and they're in... How can this be disabled?

Brand new versions of xlock have an option, vtlock, which disables vt
switching.  You'll need to be running at least xlockmore-4.12 to get
this option -- 4.11 doesn't have it.

> Anyone know why FreeBSD ships with all these security holes enabled by
> default? I checked the FreeBSD Security web page, and there was no mention
> of any of these "features", or how to plug them. (Did I miss something?)

Sure.  They're not security holes on most systems.  If you want to 
disable three-finger saluting from the console, that's your business.  If
you want to disable vt switching while in xlock, that's your business
too.  If you want to disable ctrl-alt-backspace to kill X, that as well
is your own business.  Most people _do_ find them features, not security 
holes.

Greg (ctrl-alt-del disabled, ctrl-alt-backspace enabled, xlock vt
switching enabled)
-- 
Gregory S. Sutter                 Bureaucrats cut red tape -- lengthwise.
mailto:gsutter@pobox.com
http://www.pobox.com/~gsutter/
PGP DSS public key 0x40AE3052

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message