On Wed, Feb 1, 2012 at 12:28 PM, Yasha Karant <[email protected]> wrote: > On 02/01/2012 09:03 AM, Konstantin Olchanski wrote: >> >> On Wed, Feb 01, 2012 at 08:47:28AM -0800, Yasha Karant wrote: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=636628 > > [snip] > >> Anyone with physical access to the machine can walk away with your disks, >> or boot their own OS from a USB disk or from the network, and have root >> access >> to all files without having to get root access. So you can safely assume >> that for unfriendly purposes, having physical access is the same as >> knowing >> the root password. >> > > It is my understanding that if the BIOS on a standard IA-32 or X86-64 > machine is protected by a boot password, then there is no access to the boot > procedure of the BIOS and thus the media you suggest cannot be booted unless > these are in BIOS boot order preceding the physical internal hard drive. > > Am I an in error?
You're mistaken. It's a common practice in university environments or corporate environments to issue hardware with such a BIOS password set, to avoid precisely the kind of local boot order manipulation or live CD manipulation folks describe, and especially to protect the administrative password setting. But it's not a default on any of the hundreds of motherboards I've seen in my career. Now, if you wait a few years for UEFI to become commonplace as the new replacement for BIOS, we may run headlong into this. UEFI "secure boot" is designed to lock down boot processes and is likely to interfere profoundly with Linux installation.
