Physically securing FreeBSD workstations & /boot/boot2

Nerius Landys nlandys at gmail.com
Thu Aug 6 18:35:23 UTC 2009


Hi.  I am attempting to secure some workstations in such a way that a
user would not be able gain full control of the computer (only user
access). However, they are able to see and touch the physical
workstation.  Things I'm trying to avoid, to list a couple of
examples:

1. Go to BIOS settings and configure it to boot from CD first, then
stick in a CD.  To prevent this I've put BIOS to only boot from hard
drive and I've password-locked the BIOS.
2. Go to loader menu and load (boot kernel) with some custom
parameters or something.  I've secured the loader menu by
password-protecting it (/boot/loader.conf has password) and
/boot/loader.conf is not world-readable.

And I'm sure there are other things, I just forgot them.

So my question is: Is this [securing of the workstation] worthwhile,
or should I just forget about this kind of security?  I want to make
it so that the only way to gain full control of the computer is by
physically opening up the box.

I noticed that boot2 brings up a menu like this one when I press space
during the initial boot blocks:

>> FreeBSD/i386 BOOT
Default: 0:ad(0,a)/boot/loader
boot:

I guess it would be possible to stick in a floppy disk or something
and boot from there?  So my question is, is this a threat to my plan,
and if so, how can I disable this prompt?


More information about the freebsd-questions mailing list