From owner-freebsd-stable Tue Jul 4 3:48:31 2000 Delivered-To: freebsd-stable@freebsd.org Received: from frigga.circle.net (morrigu.circle.net [209.95.64.11]) by hub.freebsd.org (Postfix) with ESMTP id 0948037B540; Tue, 4 Jul 2000 03:48:26 -0700 (PDT) (envelope-from tcobb@staff.circle.net) Received: by FRIGGA with Internet Mail Service (5.5.2650.21) id <31V1XCK8>; Tue, 4 Jul 2000 06:48:12 -0400 Message-ID: From: Troy Arie Cobb To: 'Alex Popa' , Dan O'Connor Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: RE: securing the boot process (again?!?) Date: Tue, 4 Jul 2000 06:48:12 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG There are small locks you can buy which fit into a floppy drive and secure it with a key. If your users don't need to put floppies in on a regular basis (but perhaps YOU do occasionally), then this can be a good choice to avoid booting the evil-floppy-kernel. -Troy Cobb Circle Net, Inc. http://www.circle.net 1-800-321-2237 x308 > -----Original Message----- > From: Alex Popa [mailto:razor@ldc.ro] > Sent: Tuesday, July 04, 2000 6:27 AM > To: Dan O'Connor > Cc: freebsd-security@freebsd.org; freebsd-stable@freebsd.org > Subject: Re: securing the boot process (again?!?) > > > On Mon, Jul 03, 2000 at 08:43:38PM -0700, Dan O'Connor wrote: > > >> Doesn't your computer have a BIOS password? These are > typically invoked > > >> *before* the BIOS tries to boot off any disk... > > > > > >Unfortunately BIOS passwords can be disabled on the > motherboard in a matter > > >of minutes (for most motherboards that I know of). Even > Dell laptops > > (don't > > >know about their desktops/servers) have a master > password that Dell will > > give > > >you if you call them, provided you give them some details first. > > > > Looks like there's not really much you can do if you > can't physically secure > > the machine. > > > > Even all the other tricks, boot only from hard drive, > setting the delay to > > '0', are pointless if someone can get inside the hardware > case, change > > jumpers, get into the BIOS and turn on boot from floppy > and then boot from a > > floppy. On the other hand, if someone has the opportunity > to do all that, > > they might as well just steal the whole box... > > > > Moral of the story: either secure the machine in a > location where malicious > > users can't get to it or take the consequences. > > > Okay, my mistake: by "public access machine" I meant users > have access > to the fromt panel of the PC (so they can use the floppy > drive) and a > keyboard and monitor, but *NOT* the inside of the case (the case is > sort of buried in a wall). And the problem I had was > (apart from booting > an evil kernel installed on /tmp) that by setting the > floppy drive to > "none" in the BIOS the kernel (4.0-STABLE) canot use floppies after > booting. > > I do have a BIOS password, and of what I've heard there is no other > way of bypassing it except for the jumpers on the motherboard > (impossible, see above). > > ------------+------------------------------------------ > Alex Popa, |There never was a good war or a bad peace > razor@ldc.ro| -- B. Franklin > ------------+------------------------------------------ > "It took the computing power of three C-64s to fly to the Moon. > It takes a 486 to run Windows 95. Something is wrong here." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message