Bugtraq mailing list archives
Re: Possible Linuxconf Vulnerability
From: harik () CHAOS AO NET (Dan Merillat)
Date: Wed, 5 May 1999 07:46:55 -0400
Neale Banks writes:
On Sat, 1 May 1999, Desync wrote:
If someone really wanted to do some damage with physical access to a machine, popping a rescue disk set into the drive and rebooting with the reset switch would do fine.Agreed: there is much to be said for the assertion "physical access == game over".
Keyboard + monitor != floppy drive + reset switch. It's simple enough to secure a system inside a locked cabinet and only have a keyboard and monitor outside. Furthermore, if you put a bios setup password (and binary edit your flash to change the !@#!@# backdoor password) and password lock your boot manager (in this case, it would be LILO) someone with keyboard access cannot do anything. Unless, of course, a braindead boot-script gives them some kind of root access. Another (generally fixed now) example would be boot-time fsck(8). Administrators take heed: Read your bootscripts. Make sure they "Do the Right Thing" in case of errors. --Dan
Current thread:
- Re: Possible Linuxconf Vulnerability Desync (May 01)
- Re: Possible Linuxconf Vulnerability Patrick J. Volkerding (May 01)
- Re: Possible Linuxconf Vulnerability Neale Banks (May 03)
- FW: NT Security: Domain user adding self to Domain Admin group. Gary Kalbfleisch (May 03)
- MSIE 5 favicon bug Flavio Veloso (May 03)
- <Possible follow-ups>
- Re: Possible Linuxconf Vulnerability Dan Merillat (May 05)