Dan O'Connor wrote:
>
> >I have been trying to secure (a bit) the boot process of a 4.0-STABLE
> >machine that is located in a public place.
> >
> >I need to use the floppy disk, but if I disable it from the BIOS I get
> >no access to it under FreeBSD. So I set the boot sequence to "C only"
> >but if I press space while the initial hyphen is displayed i get a
> >prompt with no password being requested. (Note I have set a password
> >in /boot/loader.conf, and set the console to "insecure" in /etc/ttys)
> >
> >The problem is I can boot any kernel or loader, including a kernel off
> >the floppy drive [just type fd(0,a)/evilkernel at the prompt]. From
> >there to a setuid(12345) that yields uid=0 (patched kernel, remember?)
> >is just a small step. Any ideas for further improvement of the boot
> >process security?
>
> Doesn't your computer have a BIOS password? These are typically invoked
> *before* the BIOS tries to boot off any disk...
Unfortunately BIOS passwords can be disabled on the motherboard in a matter
of minutes (for most motherboards that I know of). Even Dell laptops (don't
know about their desktops/servers) have a master password that Dell will give
you if you call them, provided you give them some details first.
Regards
---------------------\=-_ _-=/
Andrew Johns BSc. \ \==/ /
Principal Consultant \ /
KPI Logistics Pty Ltd \ /
mailto:[EMAIL PROTECTED] \ +/
http://www.kpi.com.au \/
How do I set this laser printer to stun?
My favourite boot labels:
F1 Real OS -> http://www.FreeBSD.org
F2 Pretend OS -> http://www.microsoft.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
