[9fans] how to lock cpu console

[9fans] how to lock cpu console

[baux80]

Hi all,
	how to lock (protect by password) the cpu console? In default install
afterboot the console is logged by user bootes. Is there a way to avoid this?

tia,

bye

--
Maurizio Boriani
irc: #defocus@freenode.net
PGP key: 0xEBBFF70D
 => A5 96 C1 30 00 78 0C 78  57 5D 3E 05 C2 A4 6D 53 <=
Crudelitas in animalia est tirocinium crudelitatis
  contra homines

Re: [9fans] how to lock cpu console

[Robert Raschke]

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

On Tue, Aug 31, 2010 at 3:20 PM, <baux80@gmail.com> wrote:

>
>        how to lock (protect by password) the cpu console? In default
> install
> afterboot the console is logged by user bootes. Is there a way to avoid
> this?
>
>
>
Usually, you'll find people put it in a cupboard or room that you can
physically lock. I think someone may have made a screen lock for a cpu/file
server, but I cannot find it now. The standard thinking is that your servers
are yours, so you keep them safe. No one needs a public console to them.

Robby

[-- Attachment #2: Type: text/html, Size: 865 bytes --]

Re: [9fans] how to lock cpu console

[John Floren]

On Tue, Aug 31, 2010 at 10:20 AM,  <baux80@gmail.com> wrote:
>
> Hi all,
>        how to lock (protect by password) the cpu console? In default install
> afterboot the console is logged by user bootes. Is there a way to avoid this?
>
> tia,
>
> bye
>
> --
> Maurizio Boriani
> irc: #defocus@freenode.net
> PGP key: 0xEBBFF70D
>  => A5 96 C1 30 00 78 0C 78  57 5D 3E 05 C2 A4 6D 53 <=
> Crudelitas in animalia est tirocinium crudelitatis
>  contra homines
>
>

Hi Maurizio

This seems to come up every so often. The usual answer, and the one
which I use, is "who cares?" :) Where is your CPU server located? Are
there that many untrustworthy types passing through every day? I left
one of my CPU/auth/file servers sitting in a campus lab, accessible by
grad students and some undergrad courses, for over two years and never
saw so much as an "ls" entered, even though I had the keyboard, mouse,
and monitor hooked up the whole time. My biggest problem was that
people kept unplugging the network cable to use with their laptops!

Right now, I have my CPU/auth/file server sitting in a different lab,
with no input or output devices connected. That in itself is good
enough to stop casual meddlers.

Of course, if you have non-casual meddlers, somebody who is willing to
drag over a monitor and a keyboard just to fiddle with your PC, you'll
want to take further steps. Although I've never done it, I expect you
should be able to modify /cfg/<sysname>/cpustart to prevent local
access. Maybe a simple while/sleep loop would do the job?

There is also, somewhere, a screen locker program that (I think) Rob
wrote a few years back; I compiled it and used it successfully last
year, and you could certainly stick that in your cpustart to
automatically lock the screen. However, for the life of me I can't
find the code right now, so maybe somebody else can point to it.

A lot of people ask this kind of thing when they start using Plan 9. I
did. I think it comes from the illusion of safety given by the way
Linux and Windows and Mac OS X all ask for usernames and passwords
when they boot, despite the fact that only the most casual of
"attacker" would be put off by that, rather than, say, rebooting with
a LiveCD and grabbing your data that way. There's something to be said
for deterring casual fiddlers who can't help but touch an open
computer, though, and luckily it's not too hard in Plan 9.

John
-- 
"With MPI, familiarity breeds contempt. Contempt and nausea. Contempt,
nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich

Re: [9fans] how to lock cpu console

[erik quanstrom]

> There is also, somewhere, a screen locker program that (I think) Rob
> wrote a few years back; I compiled it and used it successfully last
> year, and you could certainly stick that in your cpustart to
> automatically lock the screen. However, for the life of me I can't
> find the code right now, so maybe somebody else can point to it.

i didn't suggest lock for cpu servers since it requires
rio.  seems silly to run rio on the console just to lock it.
and unfortunately, i think this method would also interfere
with the serial console.  and it wouldn't be immune to
a three-fingered salute, ^P, ^T^Tr, and other hilarity.

since there are no interrupts on the console, it would seem
trivial to me to, ahem, lock down the console with a 10 line program.
you'd be left with defending against ^T^Tr, ^P, etc.
but then again, the power button or network cable is sooo
convienent.  heck, just take the machine home.  :-P.

- erik

Re: [9fans] how to lock cpu console

[David Leimbach]

[-- Attachment #1: Type: text/plain, Size: 1607 bytes --]

In short.  Physical access trumps all other locking mechanisms anyway.

CPU servers were not meant to be workstations, and the lack of a screen lock
shows that.  But then workstations are easily stolen.  2 were taken from the
building where I work in the last weeks at a law firm office (we share our
building IANAL), and no amount of screen locks saved those.

However I still screensaver lock my desktop when I leave for the weekend.
 Not that it'd matter, if someone really wanted my data they could get it.

Dave



On Tue, Aug 31, 2010 at 8:04 AM, erik quanstrom <quanstro@quanstro.net>wrote:

> > There is also, somewhere, a screen locker program that (I think) Rob
> > wrote a few years back; I compiled it and used it successfully last
> > year, and you could certainly stick that in your cpustart to
> > automatically lock the screen. However, for the life of me I can't
> > find the code right now, so maybe somebody else can point to it.
>
> i didn't suggest lock for cpu servers since it requires
> rio.  seems silly to run rio on the console just to lock it.
> and unfortunately, i think this method would also interfere
> with the serial console.  and it wouldn't be immune to
> a three-fingered salute, ^P, ^T^Tr, and other hilarity.
>
> since there are no interrupts on the console, it would seem
> trivial to me to, ahem, lock down the console with a 10 line program.
> you'd be left with defending against ^T^Tr, ^P, etc.
> but then again, the power button or network cable is sooo
> convienent.  heck, just take the machine home.  :-P.
>
> - erik
>
>

[-- Attachment #2: Type: text/html, Size: 2054 bytes --]

Re: [9fans] how to lock cpu console

[Skip Tavakkolian]

Steve has a conslock in sources. I have a couple of CPUs in open areas
that I lock using it. Put it as the last action in /cfg/machine/cpurc
to lock on startup.

Sent from my iPhone

On Aug 31, 2010, at 8:04 AM, erik quanstrom <quanstro@quanstro.net>
wrote:

>> There is also, somewhere, a screen locker program that (I think) Rob
>> wrote a few years back; I compiled it and used it successfully last
>> year, and you could certainly stick that in your cpustart to
>> automatically lock the screen. However, for the life of me I can't
>> find the code right now, so maybe somebody else can point to it.
>
> i didn't suggest lock for cpu servers since it requires
> rio.  seems silly to run rio on the console just to lock it.
> and unfortunately, i think this method would also interfere
> with the serial console.  and it wouldn't be immune to
> a three-fingered salute, ^P, ^T^Tr, and other hilarity.
>
> since there are no interrupts on the console, it would seem
> trivial to me to, ahem, lock down the console with a 10 line program.
> you'd be left with defending against ^T^Tr, ^P, etc.
> but then again, the power button or network cable is sooo
> convienent.  heck, just take the machine home.  :-P.
>
> - erik
>

Re: [9fans] how to lock cpu console

[Francisco J Ballesteros]

for cpu servers, I sometimes add cat /dev/kmesg /dev/kprint to cpurc.

as the console does not run rio and you can't hit Del to kill them,
they suffice to lock the keyboard.
there was also the lock program from Rob Pike, IIRC, posted here long
ago, I think.

perhaps not
On Tue, Aug 31, 2010 at 5:25 PM, Skip Tavakkolian
<skip.tavakkolian@gmail.com> wrote:
> Steve has a conslock in sources. I have a couple of CPUs in open areas that
> I lock using it. Put it as the last action in /cfg/machine/cpurc to lock on
> startup.
>
> Sent from my iPhone
>
> On Aug 31, 2010, at 8:04 AM, erik quanstrom <quanstro@quanstro.net> wrote:
>
>>> There is also, somewhere, a screen locker program that (I think) Rob
>>> wrote a few years back; I compiled it and used it successfully last
>>> year, and you could certainly stick that in your cpustart to
>>> automatically lock the screen. However, for the life of me I can't
>>> find the code right now, so maybe somebody else can point to it.
>>
>> i didn't suggest lock for cpu servers since it requires
>> rio.  seems silly to run rio on the console just to lock it.
>> and unfortunately, i think this method would also interfere
>> with the serial console.  and it wouldn't be immune to
>> a three-fingered salute, ^P, ^T^Tr, and other hilarity.
>>
>> since there are no interrupts on the console, it would seem
>> trivial to me to, ahem, lock down the console with a 10 line program.
>> you'd be left with defending against ^T^Tr, ^P, etc.
>> but then again, the power button or network cable is sooo
>> convienent.  heck, just take the machine home.  :-P.
>>
>> - erik
>>
>
>

Re: [9fans] how to lock cpu console

[andrey mirtchovski]

here's something quite old which used to work:

http://mirtchovski.com/lanlp9/rlock/index.html

Re: [9fans] how to lock cpu console

[Skip Tavakkolian]

see: /n/sources/contrib/steve/rc/conslock

if you have more than one cpu, change this line:
	pwd=$home/lib/conslock.hash
to
	pwd=$home/lib/conslock.^$sysname^.hash

Re: [9fans] how to lock cpu console

[Federico G. Benavento]

now there's also screenlock(8)

http://plan9.bell-labs.com/magic/man2html/8/screenlock

similar to conslock, but authenticates against the auth server

On Tue, Aug 31, 2010 at 5:45 PM, Skip Tavakkolian <9nut@9netics.com> wrote:
> see: /n/sources/contrib/steve/rc/conslock
>
> if you have more than one cpu, change this line:
>        pwd=$home/lib/conslock.hash
> to
>        pwd=$home/lib/conslock.^$sysname^.hash
>
>
>



-- 
Federico G. Benavento

Re: [9fans] how to lock cpu console

[John Floren]

Don't do this under drawterm, at least not on Windows. It'll gobble
your mouse right up, or at least it did mine.

Of course, there's no reason to run this in drawterm, since your host
OS is certain to have its own screen locker...

John

On Wed, Sep 1, 2010 at 12:21 AM, Federico G. Benavento
<benavento@gmail.com> wrote:
> now there's also screenlock(8)
>
> http://plan9.bell-labs.com/magic/man2html/8/screenlock
>
> similar to conslock, but authenticates against the auth server
>
> On Tue, Aug 31, 2010 at 5:45 PM, Skip Tavakkolian <9nut@9netics.com> wrote:
>> see: /n/sources/contrib/steve/rc/conslock
>>
>> if you have more than one cpu, change this line:
>>        pwd=$home/lib/conslock.hash
>> to
>>        pwd=$home/lib/conslock.^$sysname^.hash
>>
>>
>>
>
>
>
> --
> Federico G. Benavento
>
>



-- 
"With MPI, familiarity breeds contempt. Contempt and nausea. Contempt,
nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich

[9fans] how to lock cpu console

[baux80 at gmail.com]

On 31 August 2010 at 10:55, John Floren <slawmaster at gmail.com>wrote:
> 
> This seems to come up every so often. The usual answer, and the one
> which I use, is "who cares?" :) Where is your CPU server located? Are
> there that many untrustworthy types passing through every day? 

ok, you unmasked me :-) It was only a teoric question... not a real need :-)

> I left
> one of my CPU/auth/file servers sitting in a campus lab, accessible by
> grad students and some undergrad courses, for over two years and never
> saw so much as an "ls" entered, even though I had the keyboard, mouse,
> and monitor hooked up the whole time. My biggest problem was that
> people kept unplugging the network cable to use with their laptops!

mine too :-)

[...]

> There is also, somewhere, a screen locker program that (I think) Rob
> wrote a few years back; I compiled it and used it successfully last
> year, and you could certainly stick that in your cpustart to
> automatically lock the screen. However, for the life of me I can't
> find the code right now, so maybe somebody else can point to it.

this sounds good, a screen locker called by cpustart  

[...]

> rebooting with
> a LiveCD and grabbing your data that way. There's something to be said
> for deterring casual fiddlers who can't help but touch an open
> computer, though, and luckily it's not too hard in Plan 9.

obviously... If an attacker got console place, the smartest thing to do (in my
opinion) is to steal the hard disks :-) (or insert a bootable cd and throw 
away avery dummy password and user).

thanks,

bye

Re: [9fans] how to lock cpu console

[baux80]

On 31 August 2010 at 10:55, John Floren <slawmaster@gmail.com>wrote:
>
> This seems to come up every so often. The usual answer, and the one
> which I use, is "who cares?" :) Where is your CPU server located? Are
> there that many untrustworthy types passing through every day?

ok, you unmasked me :-) It was only a teoric question... not a real need :-)

> I left
> one of my CPU/auth/file servers sitting in a campus lab, accessible by
> grad students and some undergrad courses, for over two years and never
> saw so much as an "ls" entered, even though I had the keyboard, mouse,
> and monitor hooked up the whole time. My biggest problem was that
> people kept unplugging the network cable to use with their laptops!

mine too :-)

[...]

> There is also, somewhere, a screen locker program that (I think) Rob
> wrote a few years back; I compiled it and used it successfully last
> year, and you could certainly stick that in your cpustart to
> automatically lock the screen. However, for the life of me I can't
> find the code right now, so maybe somebody else can point to it.

this sounds good, a screen locker called by cpustart

[...]

> rebooting with
> a LiveCD and grabbing your data that way. There's something to be said
> for deterring casual fiddlers who can't help but touch an open
> computer, though, and luckily it's not too hard in Plan 9.

obviously... If an attacker got console place, the smartest thing to do (in my
opinion) is to steal the hard disks :-) (or insert a bootable cd and throw
away avery dummy password and user).

thanks,

bye

[9fans] how to lock cpu console

[baux80 at gmail.com]

On 31 August 2010 at 11:04, erik quanstrom <quanstro at quanstro.net>wrote:
> i didn't suggest lock for cpu servers since it requires
> rio.  seems silly to run rio on the console just to lock it.
> and unfortunately, i think this method would also interfere
> with the serial console.  and it wouldn't be immune to
> a three-fingered salute, ^P, ^T^Tr, and other hilarity.

yeah :-) as replied to John Floren, was only a teoric question 
(an I suspected the answer). For some unix server too we let the colsole
logged. In hard crash condition also the login processo don't work, and 
having a console logged in is useful and doesn't take security away

> since there are no interrupts on the console, it would seem
> trivial to me to, ahem, lock down the console with a 10 line program.
> you'd be left with defending against ^T^Tr, ^P, etc.
> but then again, the power button or network cable is sooo
> convienent.  heck, just take the machine home.  :-P.

who care user/pass when you can pull of hard drives :-)

thanks :-)

bye

Re: [9fans] how to lock cpu console

[baux80]

On 31 August 2010 at 11:04, erik quanstrom <quanstro@quanstro.net>wrote:
> i didn't suggest lock for cpu servers since it requires
> rio.  seems silly to run rio on the console just to lock it.
> and unfortunately, i think this method would also interfere
> with the serial console.  and it wouldn't be immune to
> a three-fingered salute, ^P, ^T^Tr, and other hilarity.

yeah :-) as replied to John Floren, was only a teoric question
(an I suspected the answer). For some unix server too we let the colsole
logged. In hard crash condition also the login processo don't work, and
having a console logged in is useful and doesn't take security away

> since there are no interrupts on the console, it would seem
> trivial to me to, ahem, lock down the console with a 10 line program.
> you'd be left with defending against ^T^Tr, ^P, etc.
> but then again, the power button or network cable is sooo
> convienent.  heck, just take the machine home.  :-P.

who care user/pass when you can pull of hard drives :-)

thanks :-)

bye

Re: [9fans] how to lock cpu console

[baux80]

On 31 August 2010 at 13:45, Skip Tavakkolian <9nut@9netics.com>wrote:
> see: /n/sources/contrib/steve/rc/conslock
>
> if you have more than one cpu, change this line:
> 	pwd=$home/lib/conslock.hash
> to
> 	pwd=$home/lib/conslock.^$sysname^.hash

works well! :-) If some say I'll leave cpu server in a uncontrolled place
I'll use it :-)

thanks

bye

[9fans] how to lock cpu console

[baux80 at gmail.com]

On 31 August 2010 at 13:45, Skip Tavakkolian <9nut at 9netics.com>wrote:
> see: /n/sources/contrib/steve/rc/conslock
> 
> if you have more than one cpu, change this line:
> 	pwd=$home/lib/conslock.hash
> to
> 	pwd=$home/lib/conslock.^$sysname^.hash

works well! :-) If some say I'll leave cpu server in a uncontrolled place 
I'll use it :-)

thanks

bye

Re: [9fans] how to lock cpu console

[erik quanstrom]

On Wed Sep  1 00:23:45 EDT 2010, benavento@gmail.com wrote:
> now there's also screenlock(8)
>
> http://plan9.bell-labs.com/magic/man2html/8/screenlock
>
> similar to conslock, but authenticates against the auth server

not similar.  it depends on rio.

- erik

Re: [9fans] how to lock cpu console

[Federico G. Benavento]

you right, I thought conslock was rob's lock program

http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/

On Wed, Sep 1, 2010 at 12:11 PM, erik quanstrom <quanstro@quanstro.net> wrote:
> On Wed Sep  1 00:23:45 EDT 2010, benavento@gmail.com wrote:
>> now there's also screenlock(8)
>>
>> http://plan9.bell-labs.com/magic/man2html/8/screenlock
>>
>> similar to conslock, but authenticates against the auth server
>
> not similar.  it depends on rio.
>
> - erik
>
>



-- 
Federico G. Benavento

Re: [9fans] how to lock cpu console

[erik quanstrom]

On Wed Sep  1 12:58:54 EDT 2010, benavento@gmail.com wrote:
> you right, I thought conslock was rob's lock program
>
> http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/

i hate doing this, but that depends on rio, too.  the open of
/dev/screen -> error() -> exits("fatal error");

- erik

Re: [9fans] how to lock cpu console

[John Floren]

On Wed, Sep 1, 2010 at 1:22 PM, erik quanstrom <quanstro@quanstro.net> wrote:
> On Wed Sep  1 12:58:54 EDT 2010, benavento@gmail.com wrote:
>> you right, I thought conslock was rob's lock program
>>
>> http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/
>
> i hate doing this, but that depends on rio, too.  the open of
> /dev/screen -> error() -> exits("fatal error");
>
> - erik
>
>

Thus, screenlock is like rob's lock program...

rio is such a minor thing to run on today's massive machines, I'm not
sure I really see the problem in starting it on your cpu server
anyway. I frequently set them up to launch into rio because:
1. It's easier to fix things when I can cat /dev/kprint in a window
rather than have it constantly interrupting me
2. I like to be able to interrupt programs
3. It's nice to run more than one thing at once, have a graphical editor, etc.
4. Full-screen stats is pretty

Of course, none of these reasons matter to you, since you don't run
rio on your servers AND you don't think there's any reason to lock
them (I agree!), I'm just pointing out that graphical lockers and rio
in general are far from useless on a cpu server.


John
-- 
"With MPI, familiarity breeds contempt. Contempt and nausea. Contempt,
nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich

Re: [9fans] how to lock cpu console

[Federico G. Benavento]

On Wed, Sep 1, 2010 at 2:22 PM, erik quanstrom <quanstro@quanstro.net> wrote:
> On Wed Sep  1 12:58:54 EDT 2010, benavento@gmail.com wrote:
>> you right, I thought conslock was rob's lock program
>>
>> http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/
>
> i hate doing this, but that depends on rio, too.  the open of
> /dev/screen -> error() -> exits("fatal error");
>
> - erik
>

exactly

-- 
Federico G. Benavento

Re: [9fans] how to lock cpu console

[erik quanstrom]

> rio is such a minor thing to run on today's massive machines, I'm not
> sure I really see the problem in starting it on your cpu server
> anyway. I frequently set them up to launch into rio because:
> 1. It's easier to fix things when I can cat /dev/kprint in a window
> rather than have it constantly interrupting me
> 2. I like to be able to interrupt programs
> 3. It's nice to run more than one thing at once, have a graphical editor, etc.
> 4. Full-screen stats is pretty
>
> Of course, none of these reasons matter to you, since you don't run
> rio on your servers AND you don't think there's any reason to lock
> them (I agree!), I'm just pointing out that graphical lockers and rio
> in general are far from useless on a cpu server.

i'll buy that.  but i think you're missing the basic reason
that the plan 9 cpu console is so minimal.  there's no
reason to use one, unless you are doing the most basic of
system maintence.  and using one is not without risk.
for example
- you've got admin privs.  it's easy to forget any abuse this.
- an errant ^T^Tr ^P or vulcan nerve pinch reboots the
server and not your terminal.

here are some additional reasons that rio makes life
more difficult
- the serial console is now useless; no fixing or rebooting
the machine from home
- you need a kvm port or a real keyboard/video/mouse
to fiddle with the machine even locally.

for me, the loss of the serial console alone makes
running rio on a cpu server a non starter.
the serial console has saved me a good 3-4 trips into
the office this year.

- erik

Re: [9fans] how to lock cpu console

[frank]

On Wed, Sep 01, 2010 at 01:44:46PM -0400, John Floren wrote:
> rio is such a minor thing to run on today's massive machines, I'm not
> sure I really see the problem in starting it on your cpu server
> anyway. I frequently set them up to launch into rio because:

- When a keyboard and a mouse are attached, rio without a window
  protects you a little bit from accidentally typing something
  meaningfull on the keyboard (I've got kids).

- The fine grey background almost looks like my favorite screensaver
  mode (blank). Of course, to wake up the monitor from time to time,
  you need to have a keyboard or mouse connected... oops;-)

--
Frank Lenaerts ---------------------------------------- frank@inua.be

Re: [9fans] how to lock cpu console

[John Floren]

On Wed, Sep 1, 2010 at 2:14 PM, erik quanstrom <quanstro@quanstro.net> wrote:
>> rio is such a minor thing to run on today's massive machines, I'm not
>> sure I really see the problem in starting it on your cpu server
>> anyway. I frequently set them up to launch into rio because:
>> 1. It's easier to fix things when I can cat /dev/kprint in a window
>> rather than have it constantly interrupting me
>> 2. I like to be able to interrupt programs
>> 3. It's nice to run more than one thing at once, have a graphical editor, etc.
>> 4. Full-screen stats is pretty
>>
>> Of course, none of these reasons matter to you, since you don't run
>> rio on your servers AND you don't think there's any reason to lock
>> them (I agree!), I'm just pointing out that graphical lockers and rio
>> in general are far from useless on a cpu server.
>
> i'll buy that.  but i think you're missing the basic reason
> that the plan 9 cpu console is so minimal.  there's no
> reason to use one, unless you are doing the most basic of
> system maintence.  and using one is not without risk.
> for example
> - you've got admin privs.  it's easy to forget any abuse this.
> - an errant ^T^Tr ^P or vulcan nerve pinch reboots the
> server and not your terminal.
>
> here are some additional reasons that rio makes life
> more difficult
> - the serial console is now useless; no fixing or rebooting
> the machine from home
> - you need a kvm port or a real keyboard/video/mouse
> to fiddle with the machine even locally.
>
> for me, the loss of the serial console alone makes
> running rio on a cpu server a non starter.
> the serial console has saved me a good 3-4 trips into
> the office this year.
>
> - erik

Those are reasonable points, definitely. Since I'm usually the only
one to use my servers (except at Sandia, where I share with Ron),
abusing my admin privs isn't a big deal.

At Sandia, the cpu/auth/file server is connected to a serial
multiplexer, so I don't run rio there. At my university lab, I didn't
bother to connect a serial line or a KVM, but the server sits right
under my terminal, so I can swap the connectors around and get a
physical console if I really need one.

Sometimes there's a good reason to run rio, sometimes it's actively
counterproductive. Now that I've admitted there might be more one way
to do a thing, I should probably go put keyboard shortcuts into Acme
or something ;-)



John
-- 
"With MPI, familiarity breeds contempt. Contempt and nausea. Contempt,
nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich

Re: [9fans] how to lock cpu console

[erik quanstrom]

> Those are reasonable points, definitely. Since I'm usually the only
> one to use my servers (except at Sandia, where I share with Ron),
> abusing my admin privs isn't a big deal.

hey, isn't that the windows security model!  :-)

seriously, don't you open yourself up to more mistakes,
if you make it easy to do things as the hostowner?

- erik

Re: [9fans] how to lock cpu console

[Corey]

On Wednesday 01 September 2010 2:56:03 baux80@gmail.com wrote:
> > you'd be left with defending against ^T^Tr, ^P, etc.
> > but then again, the power button or network cable is sooo
> > convienent.  heck, just take the machine home.  :-P.
>
> who care user/pass when you can pull of hard drives :-)
>

I care - because I'm an evil hacker who wants _undetected_ ,
_long-term_ access to said machine. Stealing the machine or its
drive is neigh useless, and in fact totally counter productive.

It's like killing the goose that would otherwise be laying golden eggs
for me.

Also, a logical fallacy:  Since X could sometimes be used to thwart Y, then
Y is useless in all cases.

Re: [9fans] how to lock cpu console

[John Floren]

On Wed, Sep 1, 2010 at 2:51 PM, erik quanstrom <quanstro@quanstro.net> wrote:
>> Those are reasonable points, definitely. Since I'm usually the only
>> one to use my servers (except at Sandia, where I share with Ron),
>> abusing my admin privs isn't a big deal.
>
> hey, isn't that the windows security model!  :-)
>
> seriously, don't you open yourself up to more mistakes,
> if you make it easy to do things as the hostowner?
>
> - erik
>

I don't *work* as bootes, I just set things up/fix things as bootes
when the hostowner is absolutely required.

I already put my account in the adm and sys groups, so I can get just
about as much abuse as I want without ever logging in as the
hostowner.

John
-- 
"With MPI, familiarity breeds contempt. Contempt and nausea. Contempt,
nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich

Re: [9fans] how to lock cpu console

[erik quanstrom]

> Also, a logical fallacy:  Since X could sometimes be used to thwart Y, then
> Y is useless in all cases.

i think the correct statement of the thinking (or
at least my thinking) is

	we want to assert X, but
	since Y defeats X, we require !Y to assert X.

in something closer to english, the assertion is that
if one requires a secure server, you've got to have physical
security.  since there are too many easy ways to circumvent
most known security measures given physical access.

i don't think this assertion has anything to say about
console locking, just that it doesn't solve the stated problem—
execepting, of course, if the data on non-volatile storage is
is encrypted and the key is lost on reboot.

- erik

Re: [9fans] how to lock cpu console

[Corey]

On Wednesday 01 September 2010 12:52:40 erik quanstrom wrote:
> > Also, a logical fallacy:  Since X could sometimes be used to thwart Y,
> > then Y is useless in all cases.
> 
> i think the correct statement of the thinking (or
> at least my thinking) is
> 
> 	we want to assert X, but
> 	since Y defeats X, we require !Y to assert X.
> 
> in something closer to english, the assertion is that
> if one requires a secure server, you've got to have physical
> security.  since there are too many easy ways to circumvent
> most known security measures given physical access.
> 
> i don't think this assertion has anything to say about
> console locking, just that it doesn't solve the stated problem—
> execepting, of course, if the data on non-volatile storage is
> is encrypted and the key is lost on reboot.
> 

Well, security isn't a binary state; it exists within a spectrum:
it's prudent and logical to utilize all means possible - and especially 
to cover the low hanging fruit.

It could be said that a locked door is security theatre - because all
it takes is a lockpick or crowbar to circumvent. Or that a helmet
is useless, because it doesn't prevent death from blood-loss or
shock sustained from other injuries.

Console passwords are an effective and relevant _auxiliary_precaution_ ,
to be utilized in addition to the other available methods at one's 
disposal - and they're such a no-brainer... it seems like more of 
a questionably useful symbolic gesture to not include such a
simple mechanism right out of the box as standard ops.

BUT... that's all for me with regards to this debate - I don't want
to get into it again.  (c8=   I know better than to argue on 9fans. <grin>


Cheers!

Corey

Re: [9fans] how to lock cpu console

[erik quanstrom]

On Tue Aug 31 10:21:42 EDT 2010, baux80@gmail.com wrote:
>
> Hi all,
> 	how to lock (protect by password) the cpu console? In default install
> afterboot the console is logged by user bootes. Is there a way to avoid this?
>

the quick answer is that it's not possible out of the box.

previous discussions here (and one spurious Promula model):

http://9fans.net/archive/?q=%27console+%28.|\n%29*lock+|%28^|+%29lock+.*%28.|\n%29console%27&go=Grep

- erik

[9fans] how to lock cpu console

[baux80 at gmail.com]

Hi all,
	how to lock (protect by password) the cpu console? In default install
afterboot the console is logged by user bootes. Is there a way to avoid this?

tia,

bye

--
Maurizio Boriani 
irc: #defocus at freenode.net
PGP key: 0xEBBFF70D
 => A5 96 C1 30 00 78 0C 78  57 5D 3E 05 C2 A4 6D 53 <=
Crudelitas in animalia est tirocinium crudelitatis 
  contra homines