Re: protecting loader
Dru [EMAIL PROTECTED] writes: Is there a way to prevent a user from bypassing loader and loading/unloading stuff at the OK prompt? (other than physical security measures) I don't know, but I don't think it will help much. It would still be possible to come up in singler-user mode, which let the user bypass anything you set up anyway. -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password public ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: protecting loader
On Fri, Dec 05, 2003 at 08:56:05AM -0500, Lowell Gilbert wrote: Dru [EMAIL PROTECTED] writes: Is there a way to prevent a user from bypassing loader and loading/unloading stuff at the OK prompt? (other than physical security measures) I don't know, but I don't think it will help much. It would still be possible to come up in singler-user mode, which let the user bypass anything you set up anyway. Getting access to the loader prompt gives you rather more power than just single user mode. An attacker can boot their own kernel -- either from removable media or over the net -- can load their own kernel modules into your regular kernel -- how about a module that traps all of the keystrokes on each tty/pty: passwords would be a dime a dozen -- and all sorts of other hijinks. Single user mode can be protected by setting the console status to insecure in /etc/ttys -- which will require that the root password is given for access. That protection is trivially bypassed with a fixit disk and access to the loader/boot prompt. The only other possible protection is to set a BIOS password, but that means the machine will not re-boot unattended. If you want to allow free access to a machine in a public place, then to prevent people taking it over you need to: i) Physically prevent them from using their own removable media -- floppy, CD and DVD drives either have to be removed, or secured by lock and key[1]. ii) USB and other ports must be inaccessible -- can't get round the protections by installing your own hardware. iii) Must not use the local keyboard/mouse/video card for the system console -- making the serial port carry the console is a good idea, especially if you can arrange for a secured console server. The public absolutely has to be prevented from accessing the system console. Even so, while you can redirect the system console from within FreeBSD, you can't do similarly with the BIOS setup screens. For that you need something like a RealWeasel card. Setting up an automatic login on the publically accessible terminal -- so that the attacker cannot access the Login: prompt is a good idea. Making that auto-login run a restricted software environment under a non-privileged UID -- usually some sort of menu system or web-based interface which restricts what the user may do to a small subset of commands would be a good idea. As would booting from read-only media -- not having a writable hard drive in a machine does cramp the style of most attackers. Cheers, Matthew [1] If you need access to these devices while running -- say you're setting up a kiosk system where you can record music tracks onto CD-RW -- then it should be possible to disable the devices in the BIOS, so the system will ignore them at boot time, but let the usual boot-time hardware probe find them so that they're available at run time. Of course, in this scenario, you'll have to prevent any attacker getting access to the BIOS setup, which is very difficult on a standard PC system. -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: protecting loader
On Thu, Dec 04, 2003 at 02:20:07PM -0500, Dru wrote: Is there a way to prevent a user from bypassing loader and loading/unloading stuff at the OK prompt? (other than physical security measures) I tried placing /boot/loader -n in /boot.config, but it didn't make a difference. Dru If I understand your question, you could put the following line in your /boot/loader.conf file: autoboot_delay=0 I think this will effectively prevent users from interrupting the loader to make changes. Just make sure that you have some other way to boot the system, such as a floppy, in case you later run into problems. Nathan -- gpg --keyserver pgp.mit.edu --recv-keys D8527E49 pgp0.pgp Description: PGP signature
Re: protecting loader
On Thu, 4 Dec 2003, Nathan Kinkade wrote: On Thu, Dec 04, 2003 at 02:20:07PM -0500, Dru wrote: Is there a way to prevent a user from bypassing loader and loading/unloading stuff at the OK prompt? (other than physical security measures) I tried placing /boot/loader -n in /boot.config, but it didn't make a difference. Dru If I understand your question, you could put the following line in your /boot/loader.conf file: autoboot_delay=0 I think this will effectively prevent users from interrupting the loader to make changes. Just make sure that you have some other way to boot the system, such as a floppy, in case you later run into problems. Nathan -- gpg --keyserver pgp.mit.edu --recv-keys D8527E49 Actually, I discovered that password=somevalue in /boot/loader.conf filled the bill quite nicely :-) Dru ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: protecting loader
I habitually put autoboot_delay=0 in /boot/loader.conf because I'm impatient. It doesn't stop me from booting into single-user mode - you just have to hit a key while loader(8) is spinning, before it starts the kernel. As far as I can tell, the options in /boot.config apply to boot2, which has its own command prompt. I occasionally interrupt that one by mistake, and get confused because it's nothing like loader. So if you want to tie down the boot process, you will probably need to use both files. - Original Message - From: Dru [EMAIL PROTECTED] Subject: Re: protecting loader On Thu, 4 Dec 2003, Nathan Kinkade wrote: On Thu, Dec 04, 2003 at 02:20:07PM -0500, Dru wrote: Is there a way to prevent a user from bypassing loader and loading/unloading stuff at the OK prompt? (other than physical security measures) I tried placing /boot/loader -n in /boot.config, but it didn't make a difference. Dru If I understand your question, you could put the following line in your /boot/loader.conf file: autoboot_delay=0 I think this will effectively prevent users from interrupting the loader to make changes. Just make sure that you have some other way to boot the system, such as a floppy, in case you later run into problems. Nathan -- gpg --keyserver pgp.mit.edu --recv-keys D8527E49 Actually, I discovered that password=somevalue in /boot/loader.conf filled the bill quite nicely :-) Dru ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
protecting loader
Is there a way to prevent a user from bypassing loader and loading/unloading stuff at the OK prompt? (other than physical security measures) I tried placing /boot/loader -n in /boot.config, but it didn't make a difference. Dru ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]