On Thu, 26 Sep 2002, Jaromir Dolecek wrote:

> Manuel Bouyer wrote:
> > On Wed, Sep 25, 2002 at 02:40:19PM -0400, William Waites wrote:
> > > Is there  a way to  turn this off?  IIUC it makes marking  the console
> > > insecure   in  /etc/ttys  useless   since  you   can  just   boot  '-a
> > > /bin/sh'... Just like that Finnish OS (init=/bin/sh) ;)
> >
> > Did you try it ? I'm not sure /bin/sh will work on NetBSD as proc 1.
> > Especially I'm not sure file descriptors 0,1,2 would be properly open.
>
> Doesn't actually matter too much - the user could just run their
> specially adjusted init (the source is available, after all).
>
> I'd be happier it it would just fallback to /rescue/init, rather
> than ask for location.

Given that -a will first ask you where to find the root device, why does
it matter? Before the "which init" quesiton is asked, as Luke pointed out,
we are first asked a more vulnerable question.

Also, we're talking about what happens when someone typed "boot -a". i.e.
when someone HAD ACCESS TO THE BOOT LOADER. Why are we worrying about
which init gets run when the person at the keyboard could have chosen
which kernel got booted?

If you want to lock the machine down hard, you need to fire up password
locking in the BIOS, and have a boot loader that doesn't let you give a
command line w/o a password. Otherwise until the kernel is loading init,
you are vulnerable. i.e. somone can boot the machine off of a floppy or
some other medium, and you're wide open.

So if you really want to lock stuff down, you need to take steps that
will, as a natural consequence, make worrying about the "-a" boot option
not a problem.

If you lock your boot loader down and hard-code "-a" into it, well,
you lose.

Take care,

Bill