Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)

[casper () HOLLAND SUN COM (Casper Dik)]

> Alas, "full" password mode on at least some of the Sun systems I have used
> will also prompt for the password before completing any legitimate boot,
> more or less cripping the lab/server in the event of any kind of
> unattended restart.  Such as might well happen in a lab, or on a server
> after a panic, power out, or other incident.  It also does not prevent the
> Stop-A/Break from freezing the running system.

Correct; this is why at one point in my past I had a lab configured with
a shutdown/bootup script (an rcX.d script) that would switch security-mode
full to command on shutdown and switch command to full on boot.
This way you could reboot remotely, but anyone typing L1-A or wanting
to pwer cycle would have to go to the sysadmin's office and explain why
he/she did what he did (you guessed it, student environment)

> I believe that setting the EEPROM security mode to "command" will prevent
> anyone from doing much to the system other than to Stop-A/Break halt it
> and reboot with the default boot params; it will also will allow a halted
> machine to be continued.  It should (at least so the manual pages seem to
> claim) not allow other commands, and I am pretty sure it will allow an
> unattended reboot to the default boot device.  Seems like this would be
> the best remedy in a lab environment.

Correct.

> Note that none of the modes will prevent the Stop-A/Break halt itself,
> AFAIK.  But now we're talking physical access issues, and all physcially
> accessible system are subject to the snip hole (power cord?  <snip>), and
> the spray hole (spray water into the box), should the malicious person
> want to halt it in person.

In Solaris 2.6, you can edit /etc/default/kbd and disable console
break as well.  (Add KEYBOARD_ABORT=disable)


Here's the script/install as /etc/init.d/security-mode and make
the following links:

ln -s /etc/init.d/security-mode      /etc/rc0.d/K99secmode
ln -s /etc/init.d/security-mode      /etc/rc2.d/S06secmode


#!/sbin/sh
PATH=/bin:/usr/sbin:/usr/bin
export PATH

# When shutting down security mode is set to command if full.
# If the security mode is changed, /security-full is touched.
# When starting security mode is reset to full when /security-full
# exists and all mode is command.

file=/security-full
mode=`expr "\`eeprom security-mode\`" : 'security-mode=\(.*\)'`
#echo mode=$mode
case "$1" in
'start')
        if [ -f $file -a "$mode" = command ]
        then
            rm $file && eeprom security-mode=full
            #echo mode set to full
        fi

        ;;

'stop')
        if [ "$mode" = full ]
        then
            touch $file && eeprom security-mode=command
            #echo mode set to command
        fi
        ;;

*) echo Usage: /etc/init.d/security-mode { start | stop } 1>&2
;;
esac