From owner-cvs-all Tue Dec 11 11:15:21 2001 Delivered-To: cvs-all@freebsd.org Received: from mailgate.originative.co.uk (mailgate.originative.co.uk [62.232.68.68]) by hub.freebsd.org (Postfix) with ESMTP id 4DDD637B417; Tue, 11 Dec 2001 11:15:15 -0800 (PST) Received: from lobster.originative.co.uk (lobster [62.232.68.81]) by mailgate.originative.co.uk (Postfix) with ESMTP id 326701D169; Tue, 11 Dec 2001 19:15:13 +0000 (GMT) Date: Tue, 11 Dec 2001 19:15:13 -0000 From: Paul Richards To: John Baldwin Cc: Mike Barcroft , Mike Silbersack , Alfred Perlstein , mini@haikugeek.com, cvs-all@FreeBSD.ORG, cvs-committers@FreeBSD.ORG, Wilko Bulte Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp Message-ID: <868210000.1008098113@lobster.originative.co.uk> In-Reply-To: References: X-Mailer: Mulberry/2.1.1 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --On Tuesday, December 11, 2001 10:31:57 -0800 John Baldwin wrote: > > On 11-Dec-01 Paul Richards wrote: >> A box where the BIOS is passwd protected, and has been set to only allow >> booting from the hard disk and where FreeBSD is configured to have a >> secure console is pretty secure from a casual attack. You'd have to open >> up the box and clear the CMOS and that sort of activity would be >> difficult in most situations and certainly something that would be >> noticed (we're not talking about sneaking into the server room late at >> night here, we're talking about office/classroom/lab environments where >> the admin is trying to protect the desktop systems from abuse). >> >> The loader change means that all that's necessary now is to power cycle >> the box and stop in the boot loader and clear the root passwd. That's >> something that can be done while sitting quite innocuously at the >> console and not drawing any attention to oneself. > > You mean one couldn't compile a custom kernel module to allow root access, > stick it in /tmp, reboot, break into the loader prompt and load > /tmp/mymodule.ko and then boot the system before? :) It's no more > vulnerable than it was before. Also, writing to the file itself isn't > that easy unless you are a Forth hacker. This wouldn't apply in the lab > of machines I admin'd at college for CS undergrads for example since no > one knew forth. Well, I think your argument is a flawed one since you're trying to argue that because you can think of one hole it's not a problem that you've added another one. However, that's not a constructive direction to go in, and I can think of at least one other way of circumventing the secure console once you're in the loader, by changing the boot device for the third stage. So the issue is really whether we can secure the loader, because now that I'm aware of that loophole it concerns me that it's so easy to compromise a FreeBSD box. Can we add a password feature to the loader so that we have a secure loader? Paul Richards FreeBSD Services Ltd http://www.freebsd-services.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message