Re: Small security option

[Rene Rebe]

Hi,

On: Wed, 17 Sep 2003 20:55:44 -0400 (EDT),
    John R Moser <jmoser5@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Why wasn't this done in the first place anyway? 
> 
> Some sysadmins like to disable the other boot devices and password-protect
> the bios.  Good, but if the person can pass init=, you're screwed. 
> 
> Here's a small patch that does a very simple thing: Disables "init=" and
> using /bin/sh for init. That'll stop people from rooting the box from grub. 

+  will also never be used as init.  This prevents users with physical
+  access to the machine from gaining root access by passing
+  init=/bin/bash to the kernel.
+
+  It is common to pass init=/bin/bash to the kernel to fix really
+  messed up machines.  If you say 'Y' here, you should make sure you
+  have a boot floppy with a kernel compiled with normal init code, OR
+  a rescue system such as a boot/root floppy or a Knoppix CD.

Erhm this adds no security - you know most people always have a USB
stick or Credit Card CD with a tiny Linux in the pocket? Or just take
the HD out of your box?

Maybe you should configure GRUB to need a password to change the
config on-the-fly to gain the same amount of "security"?

> The file is attatched.

Sincerely yours,
  René Rebe

--  
René Rebe - Europe/Germany/Berlin
  rene@xxxxxxxxxxxxx rene@xxxxxxxxxxxxxxxxxxxxxxx
http://www.rocklinux.org http://www.rocklinux-consulting.de
http://gsmp.tfh-berlin.de/gsmp http://gsmp.tfh-berlin.de/rene

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/