Re: ***HUGE*** security hole??!! (Re: Lost root passwd)
In <[🔎] XFMail.981010131317.shaleh@livenet.net>, on 10/10/98
at 01:13 PM, Shaleh <shaleh@livenet.net> said:
>But people can always yank the power cord. Follow Paul's advice -- make
>the machine physically in-accessible. Lock it, fence it in, whatever.
>Locking racks is also nice. That way people can't even see the machine,
>just a big cabinet.
>What if it is a workstation in a lab? Then disable as much as you can.
>Make sure bios is safe if it is a x86 box. This is why real workstations
>are nice -- they are much more secure than x86 PC's.
Most x86 pc's can be set to boot from harddisk *only*, with a password-
protected bios. This means the machine is safe as long as people don't
remove the cover. (Resetting the bios password is then trivial by
removing the backup battery. A floppy-less workstation may be useful
though, and nothing stops you from compiling a lilo that doesn't accept
any keyboard input.)
No workstation is safe if people can remove the cover. Connecting a
carefully prepared scsi drive would be one way of circumventing security
- on any platform. (Lab people tend to know how to use a screwdriver.
Keep the machine in a locked cabinet
or a safe if security is paramount.)
The ability to take control over an accessible machine is usually useful.
What if the password file get corrupted? Or the system manager who knows
the password dies or goes on strike? Sitting there with a lot of
important data that cannot be read from an encrypted drive isn't that
funny.
Helge Hafting
--
-----------------------------------------------------------
helge.hafting@daldata.no
-----------------------------------------------------------
Reply to: