From Tom Frye
Answered By Jim Dennis
I have LILO / GRUB installed as my boot loader, and I want to add BeOS to the list. I figured out how to do that, but is it possible to password protect that selection? BeOS can read / write to Linux without any security measures, so I need to block out users.
[JimD] Do you have LILO or GRUB installed? I really doubt you'd be using both (one in the MBR and the other in the superblock?).
In /etc/lilo.conf you can specify a password. This can be done in the global section or in any "stanza"). If it is done in the global section then the "restricted" will allow you to "restrict" those images to being booted without a password IF and only IF they are being booted without any additional parameters.
So, set a password. Leave the "restricted" option off of your BeOS stanza(s) (so it/they always require(s) a password) and add it to your Linux stanza(s) (to prevent someone from simply using init=/bin/sh rw to bypass your desired policy of preventing console users access to your ext2 filesystems unless they have your passwords and respect the Linux permissions/ownership settings). Note that there exist some MS-DOS/MS-Windows utilities for accessing ext2 filesystems as well. So access to those should also be restricted if you want to protect yourself with more than a simple layer of obscurity.
Of course, securing your system from console access also requires that you change the default CMOS/BIOS settings to prevent booting from removable media (or physically lock the floppy and/or CD-ROM slots or remove those devices). You'll also have to set CMOS passwords to prevent the console user from simply changing the setting back. You'll also want to consider locking the case in its own cabinet or getting a case lock of some sort (so users don't simply open the case, short the CMOS/NVRAM battery, resetting it to factore defaults).
Finally you should be aware that some (most?) PC BIOS' include a factory password to allow their support staff to help hapless users who have set CMOS passwords and forgotten them. Luckily those are quite obscure --- I don't happen to know any of them. However, a persistent session with a search engine would probably find a few of them for me; and a bit of social engineering on a call to the PC's manufacturer would probably get me the one I wanted (if I was sitting in front of your machine trying to break-in).
I really wish I could recommend a BIOS manufacturer that I could guarantee *DIDN'T* have a backdoor password. I will be much happier when someone get a usable OpenBIOS replacement working for some reasonably available motherboard/chipset.
(I still won't someone to write a sane BIOS bootloader that stores a list of device/bootblock address with checksums in the NVRAM; and that has hardware write-protect pins/jumpers on the NVRAM; we won't have truly robust PCs until someone does so).
|1 2 3 4 6 7 9|
|11 12 15 16 18|
|20 22 24 25 26 28 29|