There are many real-world situations where console access is possible
(even desirable) but this attack isn't viable. A computer in a public
library, Internet cafe, or university computer lab usually has some
human supervisors around who will apprehend anyone who wants to crack
the system with a screwdriver. Even without supervision, some security
measures are usually taken to prevent people from getting into the
machine, if only to prevent them from taking the SIMMs out of it and
selling them to the highest bidder. Academic installations routinely
unplug the RESET button.
I prefer to think of console security in terms of the "screwdriver rule":
If the attacker doesn't have a screwdriver (or more sophisticated tools)
then they should just give up, go home, and use sendmail security holes
to log in as root over the net. ;-)
Put a password on the BIOS, and another on LILO, and make sure your
/etc/rc scripts don't suddenly jump out of e2fsck into a root shell.
If you *can* prevent the case from being opened, then this extra hardening
is very useful.
-- Zygo Blaxell. Unix/soft/hardware/firewall/security guru. 10th place, ACM Intl Prog Contest, 1995. Admin Linux+Solaris for food, Tshirts, anime. Pager: 1613 7608572. "I gave up $1000 to avoid working on windoze... *sigh*"-Amy Fong. "smb is a microsoft toy, like a "child" protocol that never matured"-S Boisjoli.