>Alas, "full" password mode on at least some of the Sun systems I have used >will also prompt for the password before completing any legitimate boot, >more or less cripping the lab/server in the event of any kind of >unattended restart. Such as might well happen in a lab, or on a server >after a panic, power out, or other incident. It also does not prevent the >Stop-A/Break from freezing the running system. Correct; this is why at one point in my past I had a lab configured with a shutdown/bootup script (an rcX.d script) that would switch security-mode full to command on shutdown and switch command to full on boot. This way you could reboot remotely, but anyone typing L1-A or wanting to pwer cycle would have to go to the sysadmin's office and explain why he/she did what he did (you guessed it, student environment) >I believe that setting the EEPROM security mode to "command" will prevent >anyone from doing much to the system other than to Stop-A/Break halt it >and reboot with the default boot params; it will also will allow a halted >machine to be continued. It should (at least so the manual pages seem to >claim) not allow other commands, and I am pretty sure it will allow an >unattended reboot to the default boot device. Seems like this would be >the best remedy in a lab environment. Correct. >Note that none of the modes will prevent the Stop-A/Break halt itself, >AFAIK. But now we're talking physical access issues, and all physcially >accessible system are subject to the snip hole (power cord? <snip>), and >the spray hole (spray water into the box), should the malicious person >want to halt it in person. In Solaris 2.6, you can edit /etc/default/kbd and disable console break as well. (Add KEYBOARD_ABORT=disable) Here's the script/install as /etc/init.d/security-mode and make the following links: ln -s /etc/init.d/security-mode /etc/rc0.d/K99secmode ln -s /etc/init.d/security-mode /etc/rc2.d/S06secmode #!/sbin/sh PATH=/bin:/usr/sbin:/usr/bin export PATH # When shutting down security mode is set to command if full. # If the security mode is changed, /security-full is touched. # When starting security mode is reset to full when /security-full # exists and all mode is command. file=/security-full mode=`expr "\`eeprom security-mode\`" : 'security-mode=\(.*\)'` #echo mode=$mode case "$1" in 'start') if [ -f $file -a "$mode" = command ] then rm $file && eeprom security-mode=full #echo mode set to full fi ;; 'stop') if [ "$mode" = full ] then touch $file && eeprom security-mode=command #echo mode set to command fi ;; *) echo Usage: /etc/init.d/security-mode { start | stop } 1>&2 ;; esac
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:04 PDT