From owner-freebsd-stable  Mon Jul  3 19:33:16 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210])
	by hub.freebsd.org (Postfix) with ESMTP id 16EF137C358
	for <freebsd-stable@freebsd.org>; Mon,  3 Jul 2000 19:33:10 -0700 (PDT)
	(envelope-from johnsa@kpi.com.au)
Received: from kpi.com.au (ws03.kpi.com.au [203.39.132.216])
	by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id MAA34010;
	Tue, 4 Jul 2000 12:33:12 +1000 (EST)
	(envelope-from johnsa@kpi.com.au)
Message-ID: <39614D4F.D4DD6469@kpi.com.au>
Date: Tue, 04 Jul 2000 12:34:55 +1000
From: Andrew Johns <johnsa@kpi.com.au>
Organization: KPI Logistics Pty. Ltd.
X-Mailer: Mozilla 4.73 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Dan O'Connor" <dan@mostgraveconcern.com>
Cc: freebsd-stable@freebsd.org
Subject: Re: securing the boot process (again?!?)
References: <017c01bfe541$98611f40$0200000a@danco>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Dan O'Connor wrote:
> 
> >I have been trying to secure (a bit) the boot process of a 4.0-STABLE
> >machine that is located in a public place.
> >
> >I need to use the floppy disk, but if I disable it from the BIOS I get
> >no access to it under FreeBSD.  So I set the boot sequence to "C only"
> >but if I press space while the initial hyphen is displayed i get a
> >prompt with no password being requested. (Note I have set a password
> >in /boot/loader.conf, and set the console to "insecure" in /etc/ttys)
> >
> >The problem is I can boot any kernel or loader, including a kernel off
> >the floppy drive [just type fd(0,a)/evilkernel at the prompt].  From
> >there to a setuid(12345) that yields uid=0 (patched kernel, remember?)
> >is just a small step.  Any ideas for further improvement of the boot
> >process security?
> 
> Doesn't your computer have a BIOS password? These are typically invoked
> *before* the BIOS tries to boot off any disk...

Unfortunately BIOS passwords can be disabled on the motherboard in a matter
of minutes (for most motherboards that I know of).  Even Dell laptops (don't
know about their desktops/servers) have a master password that Dell will give
you if you call them, provided you give them some details first.

Regards
---------------------\=-_    _-=/
Andrew Johns BSc.     \  \==/  /
Principal Consultant   \      /
KPI Logistics Pty Ltd   \    /
mailto:johnsa@kpi.com.au \ +/
http://www.kpi.com.au     \/
                            How do I set this laser printer to stun?
My favourite boot labels:
                          F1 Real OS     -> http://www.FreeBSD.org
                          F2 Pretend OS  -> http://www.microsoft.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message