On 17 Sep 1999, Chris G. Demetriou wrote:

> Darren Reed <darrenr@reed.wattle.id.au> writes:
> > If there is to be a condition placed on the presence of the ability to
> > specify a different init other than /sbin/init because of security
> > requirements then that same condition should also be enforced on the
> > other questions which can also lead to a security breach (i.e. where is
> > the root filesystem).
> 
> Yes.  and that condition is _already_ the ability to pass RB_ASKNAME
> to the kernel, via flags given at a boot block/firmware prompt.
> 
> don't have a boot block and firmware which can allow "secure" (as in,
> no specification of boot device, no specification of boot flags, etc),
> then you should get a better system if you need that functionality.
> There's just about nothing NetBSD can do to protect you from people
> hacking at your firmware prompt...

A partial solution to this would be to add the "secure" functionality to
the bootblock itself and have it strip out any insecure parameters before
loading the kernel (or secondary bootblock).  Of course, this can be
bypassed by providing arbitrary foreign media with and "insecure"
bootblock, but it is better than what we have at the moment and would
provide good security if there is only console access but not physical
access to the system.

=========================================================================
Eduardo Horvath				eeh@one-o.com
	"I need to find a pithy new quote." -- me