Bugtraq mailing list archives
Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Mon, 13 Jul 1998 22:14:03 +0200
Alas, "full" password mode on at least some of the Sun systems I have used will also prompt for the password before completing any legitimate boot, more or less cripping the lab/server in the event of any kind of unattended restart. Such as might well happen in a lab, or on a server after a panic, power out, or other incident. It also does not prevent the Stop-A/Break from freezing the running system.
Correct; this is why at one point in my past I had a lab configured with a shutdown/bootup script (an rcX.d script) that would switch security-mode full to command on shutdown and switch command to full on boot. This way you could reboot remotely, but anyone typing L1-A or wanting to pwer cycle would have to go to the sysadmin's office and explain why he/she did what he did (you guessed it, student environment)
I believe that setting the EEPROM security mode to "command" will prevent anyone from doing much to the system other than to Stop-A/Break halt it and reboot with the default boot params; it will also will allow a halted machine to be continued. It should (at least so the manual pages seem to claim) not allow other commands, and I am pretty sure it will allow an unattended reboot to the default boot device. Seems like this would be the best remedy in a lab environment.
Correct.
Note that none of the modes will prevent the Stop-A/Break halt itself, AFAIK. But now we're talking physical access issues, and all physcially accessible system are subject to the snip hole (power cord? <snip>), and the spray hole (spray water into the box), should the malicious person want to halt it in person.
In Solaris 2.6, you can edit /etc/default/kbd and disable console break as well. (Add KEYBOARD_ABORT=disable) Here's the script/install as /etc/init.d/security-mode and make the following links: ln -s /etc/init.d/security-mode /etc/rc0.d/K99secmode ln -s /etc/init.d/security-mode /etc/rc2.d/S06secmode #!/sbin/sh PATH=/bin:/usr/sbin:/usr/bin export PATH # When shutting down security mode is set to command if full. # If the security mode is changed, /security-full is touched. # When starting security mode is reset to full when /security-full # exists and all mode is command. file=/security-full mode=`expr "\`eeprom security-mode\`" : 'security-mode=\(.*\)'` #echo mode=$mode case "$1" in 'start') if [ -f $file -a "$mode" = command ] then rm $file && eeprom security-mode=full #echo mode set to full fi ;; 'stop') if [ "$mode" = full ] then touch $file && eeprom security-mode=command #echo mode set to command fi ;; *) echo Usage: /etc/init.d/security-mode { start | stop } 1>&2 ;; esac
Current thread:
- SLMail 3.0.2421 Stack Overflow..., (continued)
- SLMail 3.0.2421 Stack Overflow... Aleph One (Jul 09)
- Re: SmurfLog 1.0 Solar Designer (Jul 06)
- Re: SmurfLog 1.0 Bug Lord (Jul 10)
- port 0 scanning Lamont Granquist (Jul 08)
- Re: port 0 scanning Lamont Granquist (Jul 09)
- Regarding Mudge's OBP/FORTH root hack (PHRACK53) Jericho Nunn (Jul 10)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) John W. Temples (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Gene Spafford (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Mike Scher (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 13)
- [FWD] Attention: Please update your imapd Raj Singh (Jul 13)
- Re: port 0 scanning Lamont Granquist (Jul 09)
- Re: port 0 scanning Dagmar d'Surreal (Jul 10)