>Alas, "full" password mode on at least some of the Sun systems I have used
>will also prompt for the password before completing any legitimate boot,
>more or less cripping the lab/server in the event of any kind of
>unattended restart. Such as might well happen in a lab, or on a server
>after a panic, power out, or other incident. It also does not prevent the
>Stop-A/Break from freezing the running system.
Correct; this is why at one point in my past I had a lab configured with
a shutdown/bootup script (an rcX.d script) that would switch security-mode
full to command on shutdown and switch command to full on boot.
This way you could reboot remotely, but anyone typing L1-A or wanting
to pwer cycle would have to go to the sysadmin's office and explain why
he/she did what he did (you guessed it, student environment)
>I believe that setting the EEPROM security mode to "command" will prevent
>anyone from doing much to the system other than to Stop-A/Break halt it
>and reboot with the default boot params; it will also will allow a halted
>machine to be continued. It should (at least so the manual pages seem to
>claim) not allow other commands, and I am pretty sure it will allow an
>unattended reboot to the default boot device. Seems like this would be
>the best remedy in a lab environment.
Correct.
>Note that none of the modes will prevent the Stop-A/Break halt itself,
>AFAIK. But now we're talking physical access issues, and all physcially
>accessible system are subject to the snip hole (power cord? <snip>), and
>the spray hole (spray water into the box), should the malicious person
>want to halt it in person.
In Solaris 2.6, you can edit /etc/default/kbd and disable console
break as well. (Add KEYBOARD_ABORT=disable)
Here's the script/install as /etc/init.d/security-mode and make
the following links:
ln -s /etc/init.d/security-mode /etc/rc0.d/K99secmode
ln -s /etc/init.d/security-mode /etc/rc2.d/S06secmode
#!/sbin/sh
PATH=/bin:/usr/sbin:/usr/bin
export PATH
# When shutting down security mode is set to command if full.
# If the security mode is changed, /security-full is touched.
# When starting security mode is reset to full when /security-full
# exists and all mode is command.
file=/security-full
mode=`expr "\`eeprom security-mode\`" : 'security-mode=\(.*\)'`
#echo mode=$mode
case "$1" in
'start')
if [ -f $file -a "$mode" = command ]
then
rm $file && eeprom security-mode=full
#echo mode set to full
fi
;;
'stop')
if [ "$mode" = full ]
then
touch $file && eeprom security-mode=command
#echo mode set to command
fi
;;
*) echo Usage: /etc/init.d/security-mode { start | stop } 1>&2
;;
esac
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:04 PDT