Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Mon, 13 Jul 1998 22:14:03 +0200


Alas, "full" password mode on at least some of the Sun systems I have used
will also prompt for the password before completing any legitimate boot,
more or less cripping the lab/server in the event of any kind of
unattended restart.  Such as might well happen in a lab, or on a server
after a panic, power out, or other incident.  It also does not prevent the
Stop-A/Break from freezing the running system.


Correct; this is why at one point in my past I had a lab configured with
a shutdown/bootup script (an rcX.d script) that would switch security-mode
full to command on shutdown and switch command to full on boot.
This way you could reboot remotely, but anyone typing L1-A or wanting
to pwer cycle would have to go to the sysadmin's office and explain why
he/she did what he did (you guessed it, student environment)


I believe that setting the EEPROM security mode to "command" will prevent
anyone from doing much to the system other than to Stop-A/Break halt it
and reboot with the default boot params; it will also will allow a halted
machine to be continued.  It should (at least so the manual pages seem to
claim) not allow other commands, and I am pretty sure it will allow an
unattended reboot to the default boot device.  Seems like this would be
the best remedy in a lab environment.


Correct.


Note that none of the modes will prevent the Stop-A/Break halt itself,
AFAIK.  But now we're talking physical access issues, and all physcially
accessible system are subject to the snip hole (power cord?  <snip>), and
the spray hole (spray water into the box), should the malicious person
want to halt it in person.


In Solaris 2.6, you can edit /etc/default/kbd and disable console
break as well.  (Add KEYBOARD_ABORT=disable)


Here's the script/install as /etc/init.d/security-mode and make
the following links:

ln -s /etc/init.d/security-mode      /etc/rc0.d/K99secmode
ln -s /etc/init.d/security-mode      /etc/rc2.d/S06secmode


#!/sbin/sh
PATH=/bin:/usr/sbin:/usr/bin
export PATH

# When shutting down security mode is set to command if full.
# If the security mode is changed, /security-full is touched.
# When starting security mode is reset to full when /security-full
# exists and all mode is command.

file=/security-full
mode=`expr "\`eeprom security-mode\`" : 'security-mode=\(.*\)'`
#echo mode=$mode
case "$1" in
'start')
        if [ -f $file -a "$mode" = command ]
        then
            rm $file && eeprom security-mode=full
            #echo mode set to full
        fi

        ;;

'stop')
        if [ "$mode" = full ]
        then
            touch $file && eeprom security-mode=command
            #echo mode set to command
        fi
        ;;

*) echo Usage: /etc/init.d/security-mode { start | stop } 1>&2
;;
esac

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]