Date: Tue, 11 Dec 2001 19:39:12 -0000 From: Paul Richards <paul@freebsd-services.com> To: John Baldwin <jhb@FreeBSD.org> Cc: Wilko Bulte <wkb@freebie.xs4all.nl>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, mini@haikugeek.com, Alfred Perlstein <bright@mu.org>, Mike Silbersack <silby@silby.com>, Mike Barcroft <mike@FreeBSD.ORG> Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp Message-ID: <880100000.1008099552@lobster.originative.co.uk> In-Reply-To: <XFMail.011211112119.jhb@FreeBSD.org> References: <XFMail.011211112119.jhb@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Tuesday, December 11, 2001 11:21:19 -0800 John Baldwin <jhb@FreeBSD.org> wrote: > > On 11-Dec-01 Paul Richards wrote: >> Well, I think your argument is a flawed one since you're trying to argue >> that because you can think of one hole it's not a problem that you've >> added another one. > > If you have a piece of Swiss cheese, who is going to notice one more > hole? It's not like there was 1 hole before and now there are 2. There > are several holes and now there are several + 1 holes. > >> So the issue is really whether we can secure the loader, because now that >> I'm aware of that loophole it concerns me that it's so easy to >> compromise a FreeBSD box. >> >> Can we add a password feature to the loader so that we have a secure >> loader? > > It has that, but it's simple. You didn't read my earlier message though > where I detailed what we _did_ do for my lab at school. We didn't use > the loader at all, instead we hacked (it was a small hack, and an #ifdef > for it could be made) boot2 to not accept user input and to boot the > kernel directly. This means using a static kernel, and in -current > compiling your hints statically into the kernel. This way you bypass the > loader completely and don't have to worry about user input. Granted, if > you hose your kernel, you have to pull out a boot floppy to do recovery, > but that is the price you pay. but that's not very standard. If I was implementing a kiosk then hacking on the boot loader is fine for my specific application, but I think we should strengthen the security of the generic loader. Would it be difficult to add some crypt functions to the loader so that the root passwd can be checked against /etc/master.passwd? The secure console protection can then be pulled forward to earlier in the boot process. Paul Richards FreeBSD Services Ltd http://www.freebsd-services.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?880100000.1008099552>