From owner-cvs-all  Tue Dec 11 12: 2:48 2001
Delivered-To: cvs-all@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id E9F2F37B416; Tue, 11 Dec 2001 12:02:37 -0800 (PST)
Received: from caddis.yogotech.com (yogotech.nokia.com [4.22.66.156])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA09307;
	Tue, 11 Dec 2001 13:02:21 -0700 (MST)
	(envelope-from nate@yogotech.com)
Received: (from nate@localhost)
	by caddis.yogotech.com (8.11.6/8.11.6) id fBBK2JZ01367;
	Tue, 11 Dec 2001 13:02:19 -0700 (MST)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15382.26187.453320.35053@caddis.yogotech.com>
Date: Tue, 11 Dec 2001 13:02:19 -0700
To: John Baldwin <jhb@FreeBSD.org>
Cc: Paul Richards <paul@freebsd-services.com>,
	Wilko Bulte <wkb@freebie.xs4all.nl>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org, mini@haikugeek.com,
	Alfred Perlstein <bright@mu.org>, Mike Silbersack <silby@silby.com>,
	Mike Barcroft <mike@FreeBSD.org>
Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp
In-Reply-To: <XFMail.011211112119.jhb@FreeBSD.org>
References: <868210000.1008098113@lobster.originative.co.uk>
	<XFMail.011211112119.jhb@FreeBSD.org>
X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

> It has that, but it's simple.  You didn't read my earlier message though where
> I detailed what we _did_ do for my lab at school.  We didn't use the loader at
> all, instead we hacked (it was a small hack, and an #ifdef for it could be
> made) boot2 to not accept user input and to boot the kernel directly.

FWIW, this is what I did when I setup a lab full of insecure PC's.  I
simply created a custom boot loader that ignored user input.

This was the best way I could think of to make the boxes secure.  (That
and forcing the box to boot from hard-disk first.)

Since I knew the password, I could change the boot order, then stick in
a floppy to do recovery.  Yes, it was a pain, but security doesn't come
w/out costs.



Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message