Re: Hiding init 1 safely

To: debian-user@lists.debian.org
Cc: Colin Watson <cjwatson@debian.org>
Subject: Re: Hiding init 1 safely
From: Ben Hartshorne <ben@hartshorne.net>
Date: Wed, 14 Nov 2001 10:47:49 -0800
Message-id: <[🔎] 20011114104749.E18882@hartshorne.net>
Mail-followup-to: debian-user@lists.debian.org, Colin Watson <cjwatson@debian.org>
In-reply-to: <[🔎] 20011114041350.B20357@debian.org>
References: <[🔎] 002501c16cc1$00bda100$27ba09ca@client4> <[🔎] 20011114041350.B20357@debian.org>

On Wed, Nov 14, 2001 at 04:13:50AM -0600, Colin Watson wrote:
> On Wed, Nov 14, 2001 at 09:29:00AM +0530, shyamk@eth.net wrote:
> > Dear members ,
> >   Is there any safe way , whereby , I can  hide   init 1 from  all
> > others who access my mac ?
> 
> It sounds like you're trying to secure against physical access. This is
> fundamentally hard. I suggest a password on your BIOS (what's the Mac
> equivalent?) and/or bootloader.

I tried to ask about physical access a while ago, but the list didn't
bite.  I had a couple of conversations about it elsewhere, and came up
with the following list of action / response to dictate how secure you
want your machine to be.

A) People can boot "LILO: linux single"
B) disable lilo's boot prompt
A) But I want to boot multiple kernels / OSes
B) Put a password on single user mode (Debian does this)
A) What about "LILO: linux init=/bin/sh"?
B) Configure lilo to not accept kernel arguments.
A) Unfortunately, I need arguments to address my large memory
B) OK, you can give lilo a password to boot non-standard options
A) hmm.  That's nice.  But what if people bring in a floppy?
B) You'll need to disable booting from removeable media in the BIOS.
A) But can't they change that?
B) Many BIOSes let you put a password on the BIOS too.
A) True.  But there's also usually a jumper on the board to clear that
password.
B) You're going to have to lock the case.  Most cases have a padlock
hole.  Or, you can separate the box from the input (in a public area,
make the keyboard and monitor accessible, and the box behind a wall.
A) That's unfortunately not feasible.  People need to have access to the
box, and it won't be watched.  Someone could take a circ saw to the case
and get at the jumper.
B) Make it a thin client.  Mount the entire system from somewhere else.
Then there's no system for them to get root.  Combining that with
requiring authentication before the machine can use net, you might be
able to prevent them from booting an entire system from local media and
using the machine for an untraced attack.  

That's about as far as it went.  Physical access is a losing battle, but
you can make it annoyingly difficult.

-ben 

-- 
Ben Hartshorne	...Discarding smoothly, as we disembark,
ben@hartshorne.net All thoughts that held us wiser for a moment
ben.hartshorne.net Up there, alone, in the impartial dark. -M. Oliver
My PGP key is at /pgp.txt.  Please encrypt all communications.

Attachment: pgptNOFLGU4DF.pgp
Description: PGP signature

Reply to:

References:
- Hiding init 1 safely
  - From: <shyamk@eth.net>
- Re: Hiding init 1 safely
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: Which mail user agent do you use?
Next by Date: Re: Mouse pointer jumps around
Previous by thread: Re: Hiding init 1 safely
Next by thread: Re: Hiding init 1 safely
Index(es):
- Date
- Thread