From owner-freebsd-hackers  Sat Jun 28 00:21:56 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id AAA09053
          for hackers-outgoing; Sat, 28 Jun 1997 00:21:56 -0700 (PDT)
Received: from sendero-ppp.i-connect.net (sendero-ppp.i-Connect.Net [206.190.143.100])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id AAA09035
          for <freebsd-hackers@FreeBSD.ORG>; Sat, 28 Jun 1997 00:21:48 -0700 (PDT)
Received: (qmail 28507 invoked by uid 1000); 28 Jun 1997 07:14:56 -0000
Message-ID: <XFMail.970628001456.Shimon@i-Connect.Net>
X-Mailer: XFMail 1.2-alpha [p0] on FreeBSD
Content-Type: text/plain; charset=iso-8859-8
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <199706271720.DAA01015@godzilla.zeta.org.au>
Date: Sat, 28 Jun 1997 00:14:56 -0700 (PDT)
Organization: Atlas Telecom
From: Simon Shapiro <Shimon@i-Connect.Net>
To: Bruce Evans <bde@zeta.org.au>
Subject: Re: com console, and h/w flow control...
Cc: mburgett@cmnsens.zoom.com, freebsd-hackers@FreeBSD.ORG
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


Hi Bruce Evans;  On 27-Jun-97 you wrote:
 
...

> crtscts is not the default, and clocal _is_ the default, to prevent
> processes endless waits for console output.  clocal is locked on.
> -current also locks the speed.  Perhaps crtscts should be locked
> (off) too.  Then stty'ing /dev/ttyd0 would be harder :-).
> 
> Bruce

There is a serious security issue here, worth considering (assuming clocal
mode ignore modem controls):

One logs in on the serial console from a modem (or terminal server),
becomes root and the serial connection drops (noisy modem line, etc.).  

At this point ANYONE who dials-in is ROOT!

Even if you did not login as root, all one has to do is dial-in, type the
magic key sequence and be in the kernel debugger.

The most common configuration in an industrial computer setup is to have a
group of PC's, in a 19" rackmount, all on serial console, all attached to a
terminal server.  the terminal server is attached to a modem and/or
Ethernet, via which the group of processors is managed.

Actually, we are building just such system right now.  We ridicule
Slowlaris to no end for their incredible stupidity by having just such a
``feature''.

I am SURE I am missing something in this discussion...

Simon