Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP
id AA2226 ; Mon, 01 Mar 93 10:50:03 EST
Path: sserve!manuel.anu.edu.au!munnari.oz.au!uunet!elroy.jpl.nasa.gov!lll-winken!unixhub!stanford.edu!agate!gaia.CS.Berkeley.EDU!cgd
From: cgd@gaia.CS.Berkeley.EDU (Chris G. Demetriou)
Newsgroups: comp.os.386bsd.bugs
Subject: Patch for secure boot w/insecure console
Message-ID: <1lt2tk$m7q@agate.berkeley.edu>
Date: 17 Feb 93 10:09:56 GMT
Organization: Kernel Hackers 'r' Us
Lines: 76
NNTP-Posting-Host: gaia.cs.berkeley.edu
[ comment from me, as moderator:
well-tested, "important" patches should go to .bugs and
.announce. if the quality/importance of the patch is dubious,
send it to .bugs -- cgd ]
enclosed is a patch to init that keeps 386bsd from giving
single-user root shells to users on insecure consoles.
if 386bsd is booted single-user from an insecure console,
and this patch is installed, init will demand the root password
before exec'ing a shell. The booter can simply hit control-d
to bring the machine up multi-user.
this patch, along with correct BIOS settings and a lack of
"insecure" OSs (like DOS) can keep crackers who have access
to your console from screwing up your 386bsd setup,
chris
=========
begin 644 secure-init.diffs
M9&EF9B M<F,@+W5S<B]S<F,O<V)I;B]I;FET+FEN<V5C=7)E+TUA:V5F:6QE
M("]U<W(O<W)C+W-B:6XO:6YI="]-86ME9FEL90HJ*BH@+W5S<B]S<F,O<V)I
M;B]I;FET+FEN<V5C=7)E+TUA:V5F:6QE"49R:2!&96(@,C@@,C Z,#<Z,#4@
M,3DY,@HM+2T@+W5S<B]S<F,O<V)I;B]I;FET+TUA:V5F:6QE"51U92!&96(@
M,38@,#,Z,#DZ,34@,3DY,PHJ*BHJ*BHJ*BHJ*BHJ*BH**BHJ(#$L-B J*BHJ
M"BTM+2 Q+#<@+2TM+0H@( H@(%!23T<]"6EN:70*(" C4U)#4ST):6YI="YC
M( HK($-&3$%'4RL]("U$4T5#55)%7T-/3E-/3$4@+41$15,*("!$4$%$1#T)
M)'M,24)55$E,?0H@($Q$041$/0DM;'5T:6P*("!.3TU!3CUN;VUA;@ID:69F
M("UR8R O=7-R+W-R8R]S8FEN+VEN:70N:6YS96-U<F4O:6YI="YC("]U<W(O
M<W)C+W-B:6XO:6YI="]I;FET+F,**BHJ("]U<W(O<W)C+W-B:6XO:6YI="YI
M;G-E8W5R92]I;FET+F,)4W5N($9E8B Q-" Q.3HT-#HU-B Q.3DS"BTM+2 O
M=7-R+W-R8R]S8FEN+VEN:70O:6YI="YC"51U92!&96(@,38@,#,Z,#@Z,S,@
M,3DY,PHJ*BHJ*BHJ*BHJ*BHJ*BH**BHJ(#4R+#4W("HJ*BH*+2TM(#4R+#8Q
M("TM+2T*(" C:6YC;'5D92 \='1Y96YT+F@^"B @(VEN8VQU9&4@/'5N:7-T
M9"YH/@H@( HK("-I9F1E9B!314-54D5?0T].4T],10HK("-I;F-L=61E(#QP
M=V0N:#X**R C96YD:68**R *(" C9&5F:6YE($Y45%D@,S()"0DO*B!M87@@
M='1Y<R J+PH@("-D969I;F4@3D%21R Q-@D)"2\J(&UA>"!A<F=S('1O(&QO
M9VEN+V=E='1Y("HO"B @"BHJ*BHJ*BHJ*BHJ*BHJ*@HJ*BH@,C$X+#(R,R J
M*BHJ"BTM+2 R,C(L,C,U("TM+2T*(" *(" )+RH@9&\@<VEN9VQE('5S97(@
M<VAE;&P@;VX@8V]N<V]L92 J+PH@( EI9B H<V5T:FUP*'-I;F=L92D@?'P@
M<W1A='5S*2!["BL@(VEF9&5F(%-%0U5215]#3TY33TQ%"BL@"0ES=')U8W0@
M='1Y96YT("IT='EP.PHK( D)<W1R=6-T('!A<W-W9" J<&%S<W ["BL@"0EC
M:&%R("IP87-S.PHK( D)<W1A=&EC(&-O;G-T(&-H87(@8F%N;F5R6UT@/0HK
M( D)"2)%;G1E<B!R;V]T('!A<W-W;W)D+"!O<B!#;VYT<F]L+40@=&\@9V\@
M;75L=&DM=7-E<EQN(CL**R C96YD:68**R *(" )"6EF*"AP:60@/2!F;W)K
M*"DI(#P@,"D*(" )"0EF871A;"@B9F]R:R(I.PH@( D)96QS92!I9B@A<&ED
M*2!["BHJ*BHJ*BHJ*BHJ*BHJ*@HJ*BH@,C(Y+#(S-" J*BHJ"BTM+2 R-#$L
M,C8Y("TM+2T*(" *(" )"0DO*B!D;R!O<&5N(&%N9"!C;VYF:6=U<F%T:6]N
M(&]F(&-O;G-O;&4@*B\*(" )"0EL;V=I;E]T='DH;W!E;B@B+V1E=B]C;VYS
M;VQE(BP@,BDI.PHK("-I9F1E9B!314-54D5?0T].4T],10HK( D)"2\J(&EF
M('1H92!C;VYS;VQE(&ES;B=T('-E8W5R92P@8VAE8VL@=&AE(')O;W0@4%<@
M*B\**R )"0ET='EP(#T@9V5T='1Y;F%M*")C;VYS;VQE(BD["BL@"0D):68@
M*"%T='EP*2!["BL@"0D)"2\J(&1O;B=T(&AA=F4@86X@96YT<GD@9F]R(")C
M;VYS;VQE(BP@<')O8F%B;'D**R )"0D)("H@:&%V92!O;F4@9F]R("]D978O
M=F=A"BL@"0D)"2 J+PHK( D)"0ET='EP(#T@9V5T='1Y;F%M*")V9V$B*3L*
M*R )"0E]"BL@"0D)<&%S<W @/2!G971P=VYA;2@B<F]O="(I.PHK( D)"6EF
M("AT='EP("8F("@H='1Y<"T^='E?<W1A='5S("8@5%197U-%0U5212D@/3T@
M,"D@)B8**R )"0D@(" @<&%S<W I('L**R )"0D)=W)I=&4H,BP@8F%N;F5R
M+"!S:7IE;V8H8F%N;F5R*2 M(#$I.PHK( D)"0ED;R!["BL@"0D)"0EP87-S
M(#T@9V5T<&%S<R@B4&%S<W=O<F0Z(BD["BL@"0D)"0EI9B H*'!A<W,@/3T@
M,"D@?'P@*"IP87-S(#T]("=<,"<I*0HK( D)"0D)"5]E>&ET*# I.R O*B!G
M;W0@8V]N=')O;"UD("HO"BL@(VEF9&5F($1%4PHK( D)"0D)<&%S<R ](&-R
M>7!T*'!A<W,L('!A<W-P+3YP=U]P87-S=V0I.PHK("-E;F1I9@HK( D)"0E]
M('=H:6QE("AS=')C;7 H<&%S<RP@<&%S<W M/G!W7W!A<W-W9"D@(3T@,"D[
M"BL@"0D)?0HK("-E;F1I9@H@( D)"65X96-L*"(O8FEN+W-H(BP@(BTB+" H
B8VAA<B J*3 I.PH@( D)"5]E>&ET*#$R-RD["B @"0E]"G-H
end
--
Chris G. Demetriou cgd@cs.berkeley.edu
MENTALLY CONTAMINATED and proud of it!