Date: Tue, 11 Dec 2001 15:12:37 -0000 From: Paul Richards <paul@freebsd-services.com> To: Wilko Bulte <wkb@freebie.xs4all.nl>, John Baldwin <jhb@FreeBSD.ORG> Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, mini@haikugeek.com, Alfred Perlstein <bright@mu.org>, Mike Silbersack <silby@silby.com>, Mike Barcroft <mike@FreeBSD.ORG> Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp Message-ID: <806020000.1008083557@lobster.originative.co.uk> In-Reply-To: <20011211150833.B69619@freebie.xs4all.nl> References: <616630000.1008044969@lobster.originative.co.uk> <XFMail.011210235132.jhb@FreeBSD.org> <20011211150833.B69619@freebie.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Tuesday, December 11, 2001 15:08:33 +0100 Wilko Bulte <wkb@freebie.xs4all.nl> wrote: > On Mon, Dec 10, 2001 at 11:51:32PM -0800, John Baldwin wrote: >> >> On 11-Dec-01 Paul Richards wrote: >> > --On Monday, December 10, 2001 22:18:36 -0500 Mike Barcroft >> > <mike@FreeBSD.org> wrote: >> > >> >> Mike Silbersack <silby@silby.com> writes: >> >>> On Mon, 10 Dec 2001, Alfred Perlstein wrote: >> >>> >> >>> > > All these loader commits make it possible to overwrite the >> >>> > > existing >> >>> > contents of > a file on a UFS filesystem. >> >>> > >> >>> > Yay! One "cool" feaure at least from a security standpoint would >> >>> > be adding a write once variable to turn this off so that one can't >> >>> > use loader to smash /etc/passwd. >> >>> > >> >>> > John, or Jonathan... ? any plans on giving this a shot? >> >>> > >> >>> > -Alfred >> >>> >> >>> Hm, I wonder if write enabling should even be compiled into the >> >>> loader by default - I think you're correct in suspecting that >> >>> changing /etc/passwd will be the primary use of this feature. :| >> >> >> >> Why would someone use this feature to write to the password file, when >> >> they can just boot into single user mode and use their favourite >> >> editor? >> > >> > You need the superuser password to get to single user if the console is >> > secure. The loader can be used to circumvent that now. >> >> As someone else has noted, setting your init path to /tmp/mybinary opens >> your machine up to root rather trivially, and that doesn't require write >> access. Note that we don't prevent doing 'more /etc/master.passwd' with >> which one can then run crack against the root password or some other >> utility. The assumption > > Consoles and/or systems not kept under lock and key (physically I mean) > are doomed anyway. Clear the CMOS passowrd (if set in the first place) and > then boot from CD or floppy. Off you go.. I only mentioned the secure console issue because I guessed that Mike wasn't aware of it so I'm not advocating that the loader change has opened up a big security hole. However, it has made some difference. A box where the BIOS is passwd protected, and has been set to only allow booting from the hard disk and where FreeBSD is configured to have a secure console is pretty secure from a casual attack. You'd have to open up the box and clear the CMOS and that sort of activity would be difficult in most situations and certainly something that would be noticed (we're not talking about sneaking into the server room late at night here, we're talking about office/classroom/lab environments where the admin is trying to protect the desktop systems from abuse). The loader change means that all that's necessary now is to power cycle the box and stop in the boot loader and clear the root passwd. That's something that can be done while sitting quite innocuously at the console and not drawing any attention to oneself. Paul Richards FreeBSD Services Ltd http://www.freebsd-services.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?806020000.1008083557>