Date: Tue, 11 Dec 2001 12:12:27 -0800 (PST) From: John Baldwin <jhb@FreeBSD.org> To: Nate Williams <nate@yogotech.com> Cc: Mike Barcroft <mike@FreeBSD.org>, Mike Silbersack <silby@silby.com>, Alfred Perlstein <bright@mu.org>, mini@haikugeek.com, cvs-all@FreeBSD.org, cvs-committers@FreeBSD.org, Wilko Bulte <wkb@freebie.xs4all.nl>, Paul Richards <paul@freebsd-services.com> Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp Message-ID: <XFMail.011211121227.jhb@FreeBSD.org> In-Reply-To: <15382.26187.453320.35053@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11-Dec-01 Nate Williams wrote: >> It has that, but it's simple. You didn't read my earlier message though >> where >> I detailed what we _did_ do for my lab at school. We didn't use the loader >> at >> all, instead we hacked (it was a small hack, and an #ifdef for it could be >> made) boot2 to not accept user input and to boot the kernel directly. > > FWIW, this is what I did when I setup a lab full of insecure PC's. I > simply created a custom boot loader that ignored user input. > > This was the best way I could think of to make the boxes secure. (That > and forcing the box to boot from hard-disk first.) > > Since I knew the password, I could change the boot order, then stick in > a floppy to do recovery. Yes, it was a pain, but security doesn't come > w/out costs. Yep, exactly what we did. It's a very simple change to boot2 and I could make it configurable so that one did 'make -DBOOT_BOOT2_SECURE BOOT_BOOT2_KERNEL="/boot/kernel/kernel"' to make boot2 not accept user input and load /boot/kernel/kernel instead of /boot/loader if desired. > Nate -- John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.011211121227.jhb>