From owner-freebsd-stable Tue Jul 4 3:27:35 2000 Delivered-To: freebsd-stable@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id A841237B71D for ; Tue, 4 Jul 2000 03:27:27 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 13311 invoked by uid 666); 4 Jul 2000 10:27:21 -0000 Date: Tue, 4 Jul 2000 13:27:21 +0300 From: Alex Popa To: Dan O'Connor Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: securing the boot process (again?!?) Message-ID: <20000704132721.A13263@ldc.ro> References: <0d8b01bfe56a$0c01c580$0200000a@danco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <0d8b01bfe56a$0c01c580$0200000a@danco>; from dan@mostgraveconcern.com on Mon, Jul 03, 2000 at 08:43:38PM -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Jul 03, 2000 at 08:43:38PM -0700, Dan O'Connor wrote: > >> Doesn't your computer have a BIOS password? These are typically invoked > >> *before* the BIOS tries to boot off any disk... > > > >Unfortunately BIOS passwords can be disabled on the motherboard in a matter > >of minutes (for most motherboards that I know of). Even Dell laptops > (don't > >know about their desktops/servers) have a master password that Dell will > give > >you if you call them, provided you give them some details first. > > Looks like there's not really much you can do if you can't physically secure > the machine. > > Even all the other tricks, boot only from hard drive, setting the delay to > '0', are pointless if someone can get inside the hardware case, change > jumpers, get into the BIOS and turn on boot from floppy and then boot from a > floppy. On the other hand, if someone has the opportunity to do all that, > they might as well just steal the whole box... > > Moral of the story: either secure the machine in a location where malicious > users can't get to it or take the consequences. > Okay, my mistake: by "public access machine" I meant users have access to the fromt panel of the PC (so they can use the floppy drive) and a keyboard and monitor, but *NOT* the inside of the case (the case is sort of buried in a wall). And the problem I had was (apart from booting an evil kernel installed on /tmp) that by setting the floppy drive to "none" in the BIOS the kernel (4.0-STABLE) canot use floppies after booting. I do have a BIOS password, and of what I've heard there is no other way of bypassing it except for the jumpers on the motherboard (impossible, see above). ------------+------------------------------------------ Alex Popa, |There never was a good war or a bad peace razor@ldc.ro| -- B. Franklin ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message