On Sun, Oct 20, 2002 at 09:40:30AM +0200, Emmanuel Dreyfus wrote:
  | Hi all
  | 
  | It seems to me that we lowered the security of the system when switching
  | to fully dynamic:

Actually, the "-a" flag addition was a separate change to making the
system fully dynamic.


  | If we consider the case of someone having access to the console but not
  | to the floppy/cdrom/whatever (I have such machines in a computer room,
  | locked in a desk), previously, if you disabled ddb from the keyboard and
  | if you set the console as insecure in /etc/ttys, it was not possible to
  | get root by rebooting the machine and doing boot -s: init asked for the
  | root password.
  | 
  | Now, it is possible to tell init path to the kernel at boot time using
  | -a. I have not tried it yet, but it probably means that someone can
  | reboot the machine and request the kernel to lookup init here: /bin/sh,
  | thus bypassing any insecure console setting.
  | 
  | We lowered a bit our security, here, didn't we?

Not really; people have already shown that passing "/bin/sh" as the
path to init(8) doesn't work.  You need to do a little bit more than
that.

If a user can write to the root file system, and specify that path
as the "path to init" for -a, they could have just as easily supplied
the path to a different kernel ... (which -a has allowed you to change
for ever).

Also, if you have DDB compiled in, what's stopping
	boot -d
or if you have USERCONF compiled in,
	boot -c
(and fiddle with the devices, even if it's just a DoS)
?

If you're seriously concerned about people playing around with the
boot sequence of your machine, you need to:

    -	i386:
	    - a BIOS password
	    - a password on your bootloader (/usr/mdec/installboot -p ... )

    -	unix workstations: a PROM setting to prevent changing the boot
	arguments without a password 

    -	a locked case (to prevent resetting of the BIOS or PROM)

Luke.