Re: boot loader

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tom <tom@lemuria.org>
To: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: boot loader
Date: Tue, 23 Apr 2002 14:20:51 +0200	[thread overview]
Message-ID: <20020423142051.A24878@lemuria.org> (raw)
In-Reply-To: <20020423115519.83E491916@lyta.coker.com.au>; from russell@coker.com.au on Tue, Apr 23, 2002 at 01:55:19PM +0200

On Tue, Apr 23, 2002 at 01:55:19PM +0200, Russell Coker wrote:
> > Physical access to the hardware always means you have lost (an
> 
> Ability to disassemble the machine always means you have lost.  Ability to 
> access the keyboard, mouse, and (non-bootable) floppy drive should not cause 
> a problem.
> 
> Think of terminals in Internet Cafe's and University computer labs.

But how does a boot-password offer any protection in these settings?


> > encrypted filesystem being the exception).
> 
> An encrypted file system is not a magic bullet.  How does the machine with 
> the encrypted file system get it's unlock password?

The same way that it gets the boot password. :)


> Hosting centers that I am familiar with do not have enough security cameras, 
> and the locks on cabinet doors are easily pickable.  Someone who has 
> authorised access to one company's equipment (authorisation being arranged by 
> unencrypted and unsigned email over a public network) can do whatever they 
> like to other machines.

No security-aware hosting center will let run people around
unsupervised unless every customer has a steel-cage of his own.


> But that's beside the point.  The fact that some people choose to not use a 
> particular security method does not mean that I will choose to not support 
> it.

I agree. The point was that lilo.conf may or may not be especially
sensitive, depending on the setup. It may be, but similiar points may
be made for many other files (/etc/ppp/*.secrets, snmp config files,
quite a lot of things actually).

See my other posting - where the "line of authority" runs is a specific
question. On some systems, root=god will still (largely) be true with
SELinux installed, on other systems even two of the three admins may
not be authorized to access lilo.conf.

Difficult to generalize.

-- 
http://web.lemuria.org/pubkey.html
pub  1024D/D88D35A6 2001-11-14 Tom Vogt <tom@lemuria.org>
     Key fingerprint = 276B B7BB E4D8 FCCE DB8F  F965 310B 811A D88D 35A6

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2002-04-23 12:20 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-04-20 12:37 boot loader Russell Coker
2002-04-20 15:24 ` Ivan Pulleyn
2002-04-20 18:14   ` Russell Coker
2002-04-22 11:48 ` Stephen Smalley
2002-04-22 19:58   ` Russell Coker
2002-04-22 20:39     ` Stephen Smalley
2002-04-22 22:08       ` Russell Coker
2002-04-22 22:27         ` Stephen Smalley
2002-04-22 22:45           ` Russell Coker
2002-04-23  5:43             ` Tom
2002-04-23 11:55               ` Russell Coker
2002-04-23 12:20                 ` Tom [this message]
2002-04-23 12:44                   ` Russell Coker
2002-04-23 15:36                     ` Tom
2002-04-23 16:50                       ` Russell Coker
2002-04-23 17:03                         ` Stephen Smalley
2002-04-23  5:40           ` Tom
  -- strict thread matches above, loose matches on Subject: below --
2015-04-28 15:12 Thiago Farina
2015-04-28 21:49 ` Richard Weinberger
2015-04-28 23:44   ` Thiago Farina
2015-04-29  2:17     ` Ken Moffat
2015-04-29  8:28 ` Geert Uytterhoeven
2015-05-11 22:11 ` Pavel Machek
2015-05-12  0:17   ` Thiago Farina
2015-05-12 11:11     ` Enrico Weigelt, metux IT consult
2015-05-13  7:02       ` Pavel Machek
2015-05-13  7:53         ` Enrico Weigelt, metux IT consult
2015-05-13  7:56           ` Pavel Machek
2003-12-22  9:58 Executable delay James Bates
2003-12-22 11:59 ` Boot Loader Kevin A. Sapp
2003-12-22 13:08   ` Wolfgang Denk
2002-12-09  6:05 Erik Christiansen
2002-12-09  7:43 ` Wolfgang Denk
2002-12-10  7:54   ` Erik Christiansen
2002-04-22 12:43 boot loader Westerman, Mark
     [not found] <36E192B5.6C18381B@noaa.gov>
1999-03-07  1:04 ` Cort Dougan
1999-03-08 10:14   ` Gabriel Paubert
1999-03-08 19:33     ` Cort Dougan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020423142051.A24878@lemuria.org \
    --to=tom@lemuria.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.