Return to BSD News archive
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!agate!agate.berkeley.edu!cgd
From: cgd@eden.CS.Berkeley.EDU (Chris G. Demetriou)
Newsgroups: comp.os.386bsd.questions
Subject: Re: Security question
Date: 3 Dec 93 23:25:17
Organization: Kernel Hackers 'r' Us
Lines: 46
Message-ID: <CGD.93Dec3232517@eden.CS.Berkeley.EDU>
References: <2dodgn$s9s@bigboote.WPI.EDU> <1993Dec4.065700.11472@news.csuohio.edu>
NNTP-Posting-Host: eden.cs.berkeley.edu
In-reply-to: stever@csuohio.edu's message of Sat, 4 Dec 1993 06:57:00 GMT
In article <1993Dec4.065700.11472@news.csuohio.edu> stever@csuohio.edu (Steve Ratliff) writes:
> Basically, with the PC architecture you can't win. Even if you
>could prevent single user booting somebody could boot off a floppy and
>do whatever they like. The key point is that you have to ensure that
>nobody has physical access to the console.
this is simply not true.
you have to do the following to make a PC secure:
(1) jumper the turbo and reset switches, so that users can't
change their settings
(2) have the power supply set up so that it's always on.
(i.e. remove the switch)
(3) seal the case in some way so that users can't phyically
open it.
(4) set your bios to boot off of c: before a:
(5) set the bios passwd, so users can't change it.
(6) adjust the boot block so that it doesn't accept input
regarding boot device and the debugging flag
(7) set up init so that single-user boots are 'secure' (man ttys
for more info).
(1) and (2) aren't necessary, really; most workstations in computer labs
can be reset...
(3) would be accomplished by locking the system down with a reasonable
theft prevention device.
(4) and (5) are trivial for any modern bios.
(6) is easy; delete a few lines of code from the boot blocks,
and reinstall them
(7) is very simple (a one word addition to /etc/ttys), assuming you're
using a 'reasonable' /sbin/init. NetBSD ships with one that
supports security, by default. I dunno about FreeBSD.
last i saw, 386BSD's init was insecure.
cgd
--
chris g. demetriou cgd@cs.berkeley.edu
smarter than your average clam.