Re: Speaking of SysRQ...

Rob Hagopian (hagopiar@vuser.vu.union.edu)
Wed, 10 Jun 1998 21:27:35 -0400 (EDT)


On Wed, 10 Jun 1998, Richard B. Johnson wrote:

> It has been pretty much accepted in Commercial Industry that if you have
> physical access to a computer, there is no real security. A floppy disk
> will boot linux, mount the root fs and execute bash.

Not if you turn off booting from floppy in BIOS. Or just don't tell the
BIOS it's there, Linux'll still find it...

> SunOS will boot from a CDROM, you can then hack at the root fs all you
> want.
>
> Even VAX/VMS (the minion of security), can be booted into SYSBOOT from
> the console, set SYSUAFALT to 1 and continue. Then anyone can log in
> as SYSTEM (like root) from the console. If there IS an alternate
> password file, you just use N > 1.

While the quote got snipped, I didn't actually suggest access to the box
itself. In any case, you imply that because other OSes have weak security
in these areas linux should too? <shudder>

> There are back-doors on every machine I know about so the person who has
> physical possession can take control. Otherwise, you'd be hard-pressed to
> sell used equipment.

That's something different. Back-doors usually take the form of losing the
data existing - reformatting a hard drive, clearing a BIOS password, etc.
The trick for a lab machine is not giving someone the chance to run a
reformat utility and putting a lock on the case so they can't clear the
BIOS password.

> There is even a "general-purpose" password that will get you into
> the ROM-BIOS Setup of most computers. This is so you don't have
> to short out the battery if the password is lost.

I have yet to hear of one, and usually they do get circulated; if you
follow Bugtraq, 3com just got bitten by this one. Most computers that I
know of have jumpers inside (ie. lock the case) that will reset the
password.

> If you need security, you put the machine in a locked room and
> access it over the network or a serial link. That's what we do
> with all our servers including name-servers, etc.

People can run packet sniffers on shared networks, so now we're back to
using serial links for secure systems? Wonderful. And don't forget,
physical security ain't all it's cracked up to be...
-Rob H.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu