[lug] Re: linux

D. Stimits stimits at idcomm.com
Tue Jun 19 14:22:18 MDT 2001 

Eric Kilfoil wrote:
> 
> Password protecting the bootup can be a bad idea.  If you ever have a
> power problem, or for some reason, the machine reboots itself, you'll have
> to physically go to the machine to type in the password and let it boot.

Not necessarily, many BIOSes allow you to set a password against
altering boot sectors, but not to boot up. That is usually what enabling
virus protection in the BIOS does. Often you can also set it so that
BIOS cannot be manipulated without a pass, but it won't stop normal
boot.

> 
> With physical access to the machine, you can ALWAYS gain root access.  A
> CMOS password is a false sense of security.  There is no way around this.
> The key is to protect the physical machine from unwanted parties gaining
> access to the computer room.

If the intruder is in the room with the machine it is a whole new game.
A business can do other things to protect itself, but a CMOS pass
against boot sector alterations can be very effective against a remote
user wanting to alter bootup.

> 
> Ways to gain root access when physical access is available:
> 
> boot from secondary media, mount the hard drive's root as /mnt/, modify
> the passwd/shadow file.

If the BIOS is set to not allow modification without a pass, and the
bootup device order excludes floppy and CD, then the case would have to
be physically opened, even with a boot floppy. That's a whole new story
compared to a remote script kiddie.

> 
> BIOS passwords:  Trip the jumper to reset the BIOS on the motherboard.
> Remove the CMOS battery.
> 
> Remove the Hard drive, put in another machine, mount paritions and change
> passwords.
> 
> As you can see, when you have physical access to the computer, there is no
> way to protect it.  This is true with any operating system, although
> products such as Pitbull claim to protect a little better.
> 
> There are probably projects which encrypt data on the disk and can tie
> data back to a hostid at the filesystem level.  This seems like a bit much
> for anything short of financial instutions and the like.

Encrypted partitions are nice. Steal the drive or reboot, and it is
useless to anyone without the pass (or NSA style cracking).

D. Stimits, stimits at idcomm.com

> 
> Just remember, as security goes up, productivity goes down.
> 
> eric
> 
> On Tue, 19 Jun 2001, Greg Horne wrote:
> 
> > >From: "Dhruva B. Reddy" <sledgehammer2010 at yahoo.com>
> > >Reply-To: lug at lug.boulder.co.us
> > >To: lug at lug.boulder.co.us
> > >Subject: Re: [lug] Re: linux
> > >Date: Tue, 19 Jun 2001 09:14:20 -0600
> > >
> > >So basically, as long as you have physical access to the machine, there is
> > >a way
> > >to reset the root password?  Sounds scary.  Is it possible to do this
> > >remotely?
> > >That's even more scary.
> >
> > Nope.  You can only reset the root password from the acctual machine.  I'm
> > sure there is some l33t hacker way to do it buy I have not heard of
> > anything.  If you are really paranoid my Abit KT7-A MB has an option to
> > password protect the bios and the startup of the computer for even more
> > added protection.
> >
> > Greg
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list