From owner-cvs-all  Tue Dec 11 10:32:22 2001
Delivered-To: cvs-all@freebsd.org
Received: from mail6.speakeasy.net (mail6.speakeasy.net [216.254.0.206])
	by hub.freebsd.org (Postfix) with ESMTP id D9FD737B41D
	for <cvs-all@FreeBSD.ORG>; Tue, 11 Dec 2001 10:32:03 -0800 (PST)
Received: (qmail 32487 invoked from network); 11 Dec 2001 18:32:03 -0000
Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender <jhb@FreeBSD.org>)
          by mail6.speakeasy.net (qmail-ldap-1.03) with SMTP
          for <paul@freebsd-services.com>; 11 Dec 2001 18:32:03 -0000
Message-ID: <XFMail.011211103157.jhb@FreeBSD.org>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <806020000.1008083557@lobster.originative.co.uk>
Date: Tue, 11 Dec 2001 10:31:57 -0800 (PST)
From: John Baldwin <jhb@FreeBSD.org>
To: Paul Richards <paul@freebsd-services.com>
Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp
Cc: Mike Barcroft <mike@FreeBSD.ORG>,
	Mike Silbersack <silby@silby.com>, Alfred Perlstein <bright@mu.org>,
	mini@haikugeek.com, cvs-all@FreeBSD.ORG, cvs-committers@FreeBSD.ORG,
	Wilko Bulte <wkb@freebie.xs4all.nl>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On 11-Dec-01 Paul Richards wrote:
> A box where the BIOS is passwd protected, and has been set to only allow
> booting from the hard disk and where FreeBSD is configured to have a secure
> console is pretty secure from a casual attack. You'd have to open up the
> box and clear the CMOS and that sort of activity would be difficult in most
> situations and certainly something that would be noticed (we're not talking
> about sneaking into the server room late at night here, we're talking about
> office/classroom/lab environments where the admin is trying to protect the
> desktop systems from abuse).
> 
> The loader change means that all that's necessary now is to power cycle the
> box and stop in the boot loader and clear the root passwd. That's something
> that can be done while sitting quite innocuously at the console and not
> drawing any attention to oneself.

You mean one couldn't compile a custom kernel module to allow root access,
stick it in /tmp, reboot, break into the loader prompt and load
/tmp/mymodule.ko and then boot the system before?  :)  It's no more vulnerable
than it was before.  Also, writing to the file itself isn't that easy unless
you are a Forth hacker.  This wouldn't apply in the lab of machines I admin'd
at college for CS undergrads for example since no one knew forth.

-- 

John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message