Date: Tue, 11 Dec 2001 11:21:19 -0800 (PST) From: John Baldwin <jhb@FreeBSD.org> To: Paul Richards <paul@freebsd-services.com> Cc: Wilko Bulte <wkb@freebie.xs4all.nl>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, mini@haikugeek.com, Alfred Perlstein <bright@mu.org>, Mike Silbersack <silby@silby.com>, Mike Barcroft <mike@FreeBSD.ORG> Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp Message-ID: <XFMail.011211112119.jhb@FreeBSD.org> In-Reply-To: <868210000.1008098113@lobster.originative.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11-Dec-01 Paul Richards wrote: > Well, I think your argument is a flawed one since you're trying to argue > that because you can think of one hole it's not a problem that you've added > another one. If you have a piece of Swiss cheese, who is going to notice one more hole? It's not like there was 1 hole before and now there are 2. There are several holes and now there are several + 1 holes. > So the issue is really whether we can secure the loader, because now that > I'm aware of that loophole it concerns me that it's so easy to compromise a > FreeBSD box. > > Can we add a password feature to the loader so that we have a secure loader? It has that, but it's simple. You didn't read my earlier message though where I detailed what we _did_ do for my lab at school. We didn't use the loader at all, instead we hacked (it was a small hack, and an #ifdef for it could be made) boot2 to not accept user input and to boot the kernel directly. This means using a static kernel, and in -current compiling your hints statically into the kernel. This way you bypass the loader completely and don't have to worry about user input. Granted, if you hose your kernel, you have to pull out a boot floppy to do recovery, but that is the price you pay. -- John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.011211112119.jhb>