Subject: Re: Another changer, another changer problem
To: NetBSD-current Discussion List <firstname.lastname@example.org>
From: Greg A. Woods <email@example.com>
Date: 10/08/1998 17:12:20
[ On Thu, October 8, 1998 at 13:31:07 (-0700), Curt Sampson wrote: ]
> Subject: Re: Another changer, another changer problem
> On Thu, 8 Oct 1998, Greg A. Woods wrote:
> > Didn't I say something about a "hard" line somewhere?
> So? What I said still applies; I don't want my console going to
> just any terminal; I want it going only to physically secured
So? Then mark the device file where this rogue user would poke the tty
port information into the PROM's NVRAM as immutable and make sure you've
already added that one line of code to sys_mknod() to be sure that root
can't run mknod(2) when securelevel >= 2.
Personally I don't find anywhere near enough risk reduction in the
lengths you're suggesting you might go to securing a system. If you're
really wanting to go to that level (eg. you're building a TCB to run in
a Tempest environment) then perhaps you should consider getting rid of
the reboot(2) and halt(2) system calls and forcing physical access for
shutdowns (i.e. get a 3b2 or mac or sgi or ATX-based i386 box that has a
soft power switch and make that the *only* way to shut down the system).
If the guy is root then I don't really care what "securelevel" you're
at. All attempts to prevent the one and only superuser from doing
super-user-like duties is only going to limit the usefulness of the
system. If you want multiple degrees of "super-user-ness" then you
really need something slightly more complex than unix (Multics comes
immediately to mind here...).
> > Clearly trying to point /dev/console at a PTY would be pointless
> > regardless of how intelligent your PROM is.
> Why? ISTR some systems do this. You can do a shutdown from a telenet
> connection, and that connection will remain open and be your console.
So, if you're right then someone pulled of some minor magic and found a
way to hand off a TCP connection to the PROM.
As I've said less metaphorically before, if it hurts, then don't do it!
However it might feel good to me, so I do want to do it. Standing in my
way is not a nice thing to do.
As has always been the case, esp. in the realm of unix, you give the
user lots of tools and toys, even if they include nasty things like
cattle prods and miles of rope, and the admin who wants to tie down his
environment has to use up all the rope and hide all the dangerous toys.
I.e. if you're interested in doing what you want to do then *you* have
to do the extra work to take out the features you think are dangerous.
Greg A. Woods
+1 416 218-0098 VE3TCP <firstname.lastname@example.org> <robohack!woods>
Planix, Inc. <email@example.com>; Secrets of the Weird <firstname.lastname@example.org>