protecting loader

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Dec 5 06:57:38 PST 2003 

On Fri, Dec 05, 2003 at 08:56:05AM -0500, Lowell Gilbert wrote:
> Dru <dlavigne6 at sympatico.ca> writes:

> > Is there a way to prevent a user from bypassing loader and
> > loading/unloading stuff at the OK prompt? (other than physical security
> > measures)
 
> I don't know, but I don't think it will help much.  It would still be
> possible to come up in singler-user mode, which let the user bypass
> anything you set up anyway.

Getting access to the loader prompt gives you rather more power than
just single user mode.  An attacker can boot their own kernel --
either from removable media or over the net -- can load their own
kernel modules into your regular kernel -- how about a module that
traps all of the keystrokes on each tty/pty: passwords would be a dime
a dozen -- and all sorts of other hijinks.

Single user mode can be protected by setting the console status to
insecure in /etc/ttys -- which will require that the root password is
given for access.  That protection is trivially bypassed with a fixit
disk and access to the loader/boot prompt.

The only other possible protection is to set a BIOS password, but that
means the machine will not re-boot unattended.

If you want to allow free access to a machine in a public place, then
to prevent people taking it over you need to:

    i) Physically prevent them from using their own removable media --
       floppy, CD and DVD drives either have to be removed, or secured
       by lock and key[1].

   ii) USB and other ports must be inaccessible -- can't get round the
       protections by installing your own hardware.

  iii) Must not use the local keyboard/mouse/video card for the system
       console -- making the serial port carry the console is a good
       idea, especially if you can arrange for a secured console
       server.  The public absolutely has to be prevented from
       accessing the system console.  Even so, while you can redirect
       the system console from within FreeBSD, you can't do similarly
       with the BIOS setup screens.  For that you need something like
       a RealWeasel card. 

Setting up an automatic login on the publically accessible terminal --
so that the attacker cannot access the Login: prompt is a good idea.
Making that auto-login run a restricted software environment under a
non-privileged UID -- usually some sort of menu system or web-based
interface which restricts what the user may do to a small subset of
commands would be a good idea.

As would booting from read-only media -- not having a writable hard
drive in a machine does cramp the style of most attackers.

	Cheers,

	Matthew

[1] If you need access to these devices while running -- say you're
setting up a kiosk system where you can record music tracks onto CD-RW
-- then it should be possible to disable the devices in the BIOS, so
the system will ignore them at boot time, but let the usual boot-time
hardware probe find them so that they're available at run time.  Of
course, in this scenario, you'll have to prevent any attacker getting
access to the BIOS setup, which is very difficult on a standard PC
system.

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031205/f4f318ec/attachment.bin

More information about the freebsd-questions mailing list