On Wed, Nov 14, 2001 at 04:13:50AM -0600, Colin Watson wrote: > On Wed, Nov 14, 2001 at 09:29:00AM +0530, [EMAIL PROTECTED] wrote: > > Dear members , > > Is there any safe way , whereby , I can hide init 1 from all > > others who access my mac ? > > It sounds like you're trying to secure against physical access. This is > fundamentally hard. I suggest a password on your BIOS (what's the Mac > equivalent?) and/or bootloader.
I tried to ask about physical access a while ago, but the list didn't bite. I had a couple of conversations about it elsewhere, and came up with the following list of action / response to dictate how secure you want your machine to be. A) People can boot "LILO: linux single" B) disable lilo's boot prompt A) But I want to boot multiple kernels / OSes B) Put a password on single user mode (Debian does this) A) What about "LILO: linux init=/bin/sh"? B) Configure lilo to not accept kernel arguments. A) Unfortunately, I need arguments to address my large memory B) OK, you can give lilo a password to boot non-standard options A) hmm. That's nice. But what if people bring in a floppy? B) You'll need to disable booting from removeable media in the BIOS. A) But can't they change that? B) Many BIOSes let you put a password on the BIOS too. A) True. But there's also usually a jumper on the board to clear that password. B) You're going to have to lock the case. Most cases have a padlock hole. Or, you can separate the box from the input (in a public area, make the keyboard and monitor accessible, and the box behind a wall. A) That's unfortunately not feasible. People need to have access to the box, and it won't be watched. Someone could take a circ saw to the case and get at the jumper. B) Make it a thin client. Mount the entire system from somewhere else. Then there's no system for them to get root. Combining that with requiring authentication before the machine can use net, you might be able to prevent them from booting an entire system from local media and using the machine for an untraced attack. That's about as far as it went. Physical access is a losing battle, but you can make it annoyingly difficult. -ben -- Ben Hartshorne ...Discarding smoothly, as we disembark, [EMAIL PROTECTED] All thoughts that held us wiser for a moment ben.hartshorne.net Up there, alone, in the impartial dark. -M. Oliver My PGP key is at /pgp.txt. Please encrypt all communications.
pgpnD6fnKPvF4.pgp
Description: PGP signature
