Date: Sat, 28 Apr 2001 02:24:39 +0200 From: Frank v Waveren <fvw@var.cx> To: freebsd-questions@FreeBSD.ORG Subject: securing the bootup sequence Message-ID: <20010428022439.A1449@var.cx>
next in thread | raw e-mail | index | archive | help
I'm trying to secure the bootup sequence of a 4.3-release install. With a linux install (the box's previous install) this is quite easy, just set the bios to disallow boot from floppy, and give lilo the password= and 'restricted' options. With that configuration, there is no way to get access to an account on the box without physically opening it. However, trying to do this with FreeBSD proves a lot harder. Since I have two IDE drives, boot0 gives the F? list of drives, from which you can select the drive without the kernel on it, which can bring the boot process to a halt, which isn't nice, but isn't terrible either. boot2 is a lot more annoying however. Even if it doesn't show it's prompt by default, pressing space when you get the first '-' will bring up the prompt. From here, you can load an arbitrary replacement for /boot/loader, either previously stored in a users homedir or from floppy. I can't find any way short of hacking the code of stopping boot2 from doing this. The next part of the entertainment is /boot/loader. According to all the docu, having a set password=foo and check-password in /boot/loader.rc should get you a password prompt if you do anything apart from allowing the autoboot to continue. However, the password prompt doesn't appear for me, whatever I tried.. :-(. I have found one discussion from a while back on this topic on deja.com, however I didn't find any useful answers apart from "there's no such thing as security if the attacker has physical access", but I'm not trying to protect against physical access here, just console access. TIA! -- Frank v Waveren Fingerprint: 0EDB 8787 fvw@[var.cx|dse.nl|stack.nl|chello.nl] ICQ#10074100 09B9 6EF5 6425 B855 Public key: http://www.var.cx/pubkey/fvw@var.cx-gpg 7179 3036 E136 B85D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010428022439.A1449>