[242] in linux-security and linux-alert archive
[SUMMARY] Securing the console of a linux system, given a secure
daemon@ATHENA.MIT.EDU (Nigel Metheringham)
Thu May 25 11:24:31 1995
cc: linux-security@tarsier.cv.nrao.edu
In-reply-to: Your message of "Tue, 16 May 1995 18:30:20 +0200."
<m0sBQRs-000DA8C@pigpen.ohm.york.ac.uk>
Date: Thu, 25 May 1995 12:31:40 +0200
From: Nigel Metheringham <nigelm@ohm.york.ac.uk>
Hi,
The original query asked if, given a system that couldn't have the boot
intercepted or modified, a Linux system could be considered/made secure.
Then to muddy the issue I described our PC boot setup where the DOS side of
things is based on netbooted PC/NFS.
Rather than include long extracts I am going to summarise the responses - and
my summaries are rather brutal! If someone feels I am misrepresenting them
please contact me and I'll try to redress that - its not intentional!
Basically, on the linux side, the consensus was that if the boot could be
secured - ie a user cannot boot from floppy - then the system is as secure as
a general Unix system. An NFS mounted root could be vulnerable to external
hacking - best exported read-only.
However having the PCs also able to boot into DOS with PC/NFS opens up a new
can of worms. PC/NFS can be hacked - and thats difficult to plug. The
suggestion of loading a linux up using loadlin or similar was also mentioned
- this is obviously possible (but in our case needs some work doing since
loadlin and its friends cannot handle the PCs memory map without managing to
crash the system as it loads the image - however clever programming would
easily defeat this).
A lot of things boiled down to the fact that NFS security relies on trust
between the server and client. PCs (under DOS) are not trustable, and so the
whole system falls apart as soon as a PC with DOS is trusted. With current
protocols a system which has no memory protection cannot be made trustworthy.
Other suggestions included physically disconnecting the system and spoofing
with an external system - yes that can be done, its not a problem unique to
this setup (managed 10BaseT hubs should help here, but if you change the
hardware address of the card things get interesting).
It appears that the addition of linux into the equation does not degrade
security at all from our current setup. Removing DOS would enhance security
(and of course be the morally right thing to do :-) ).
Thanks to the following people who responded to my original request:-
"Alvaro M. Echevarria" <mtl94033@oasis.dit.upm.es>
"Steve \"Stevers!\" Coile" <scoile@GMU.EDU>
Jack of all trades <Wim.Vandeputte@rug.ac.be>
Yossi Gottlieb <yogo@math.tau.ac.il>
iialan@iiit.swan.ac.uk (Alan Cox)
iwj10@cus.cam.ac.uk (Ian Jackson)
leydold@statrix2.wu-wien.ac.at (Josef Leydold)
If you want to add to this I suggest you send comments to me - if there is a
set of these then I will pass them on to the list. Alternatively if its a
new thread derived from this then take it on to the moderators.
Nigel.
- Nigel Metheringham -- EMail: nm4@unix.york.ac.uk nigelm@ohm.york.ac.uk -
- System Administrator, Electronics Dept, University of York, York YO1 5DD -
- Tel: +44 1904 432374, Fax: +44 1904 432335 | PGP key available from WWW -
- WWW: http://www.amp.york.ac.uk/~nm4/ | -
