[10455] in bugtraq
Re: Possible Linuxconf Vulnerability
daemon@ATHENA.MIT.EDU (Dan Merillat)
Thu May 6 16:13:09 1999
Message-Id: <199905051146.HAA24281@chaos.ao.net>
Date: Wed, 5 May 1999 07:46:55 -0400
Reply-To: Dan Merillat <harik@CHAOS.AO.NET>
From: Dan Merillat <harik@CHAOS.AO.NET>
To: BUGTRAQ@NETSPACE.ORG
Neale Banks writes:
> On Sat, 1 May 1999, Desync wrote:
> > If someone really wanted to do some damage with physical access to a
> > machine, popping a rescue disk set into the drive and rebooting with the
> > reset switch would do fine.
>
> Agreed: there is much to be said for the assertion "physical access ==
> game over".
Keyboard + monitor != floppy drive + reset switch.
It's simple enough to secure a system inside a locked cabinet and only have
a keyboard and monitor outside. Furthermore, if you put a bios setup password
(and binary edit your flash to change the !@#!@# backdoor password) and password
lock your boot manager (in this case, it would be LILO) someone with
keyboard access cannot do anything. Unless, of course, a braindead boot-script
gives them some kind of root access.
Another (generally fixed now) example would be boot-time fsck(8).
Administrators take heed: Read your bootscripts. Make sure they "Do the Right Thing"
in case of errors.
--Dan
