* Re: [9fans] how to lock cpu console
2010-08-31 15:04 ` erik quanstrom
@ 2010-08-31 15:25 ` David Leimbach
2010-08-31 15:25 ` Skip Tavakkolian
` (3 subsequent siblings)
4 siblings, 0 replies; 32+ messages in thread
From: David Leimbach @ 2010-08-31 15:25 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
[-- Attachment #1: Type: text/plain, Size: 1607 bytes --]
In short. Physical access trumps all other locking mechanisms anyway.
CPU servers were not meant to be workstations, and the lack of a screen lock
shows that. But then workstations are easily stolen. 2 were taken from the
building where I work in the last weeks at a law firm office (we share our
building IANAL), and no amount of screen locks saved those.
However I still screensaver lock my desktop when I leave for the weekend.
Not that it'd matter, if someone really wanted my data they could get it.
Dave
On Tue, Aug 31, 2010 at 8:04 AM, erik quanstrom <quanstro@quanstro.net>wrote:
> > There is also, somewhere, a screen locker program that (I think) Rob
> > wrote a few years back; I compiled it and used it successfully last
> > year, and you could certainly stick that in your cpustart to
> > automatically lock the screen. However, for the life of me I can't
> > find the code right now, so maybe somebody else can point to it.
>
> i didn't suggest lock for cpu servers since it requires
> rio. seems silly to run rio on the console just to lock it.
> and unfortunately, i think this method would also interfere
> with the serial console. and it wouldn't be immune to
> a three-fingered salute, ^P, ^T^Tr, and other hilarity.
>
> since there are no interrupts on the console, it would seem
> trivial to me to, ahem, lock down the console with a 10 line program.
> you'd be left with defending against ^T^Tr, ^P, etc.
> but then again, the power button or network cable is sooo
> convienent. heck, just take the machine home. :-P.
>
> - erik
>
>
[-- Attachment #2: Type: text/html, Size: 2054 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-08-31 15:04 ` erik quanstrom
2010-08-31 15:25 ` David Leimbach
@ 2010-08-31 15:25 ` Skip Tavakkolian
2010-08-31 18:18 ` Francisco J Ballesteros
2010-08-31 20:45 ` Skip Tavakkolian
2010-09-01 9:56 ` baux80 at gmail.com
` (2 subsequent siblings)
4 siblings, 2 replies; 32+ messages in thread
From: Skip Tavakkolian @ 2010-08-31 15:25 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs; +Cc: 9fans
Steve has a conslock in sources. I have a couple of CPUs in open areas
that I lock using it. Put it as the last action in /cfg/machine/cpurc
to lock on startup.
Sent from my iPhone
On Aug 31, 2010, at 8:04 AM, erik quanstrom <quanstro@quanstro.net>
wrote:
>> There is also, somewhere, a screen locker program that (I think) Rob
>> wrote a few years back; I compiled it and used it successfully last
>> year, and you could certainly stick that in your cpustart to
>> automatically lock the screen. However, for the life of me I can't
>> find the code right now, so maybe somebody else can point to it.
>
> i didn't suggest lock for cpu servers since it requires
> rio. seems silly to run rio on the console just to lock it.
> and unfortunately, i think this method would also interfere
> with the serial console. and it wouldn't be immune to
> a three-fingered salute, ^P, ^T^Tr, and other hilarity.
>
> since there are no interrupts on the console, it would seem
> trivial to me to, ahem, lock down the console with a 10 line program.
> you'd be left with defending against ^T^Tr, ^P, etc.
> but then again, the power button or network cable is sooo
> convienent. heck, just take the machine home. :-P.
>
> - erik
>
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-08-31 15:25 ` Skip Tavakkolian
@ 2010-08-31 18:18 ` Francisco J Ballesteros
2010-08-31 19:54 ` andrey mirtchovski
2010-08-31 20:45 ` Skip Tavakkolian
1 sibling, 1 reply; 32+ messages in thread
From: Francisco J Ballesteros @ 2010-08-31 18:18 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
for cpu servers, I sometimes add cat /dev/kmesg /dev/kprint to cpurc.
as the console does not run rio and you can't hit Del to kill them,
they suffice to lock the keyboard.
there was also the lock program from Rob Pike, IIRC, posted here long
ago, I think.
perhaps not
On Tue, Aug 31, 2010 at 5:25 PM, Skip Tavakkolian
<skip.tavakkolian@gmail.com> wrote:
> Steve has a conslock in sources. I have a couple of CPUs in open areas that
> I lock using it. Put it as the last action in /cfg/machine/cpurc to lock on
> startup.
>
> Sent from my iPhone
>
> On Aug 31, 2010, at 8:04 AM, erik quanstrom <quanstro@quanstro.net> wrote:
>
>>> There is also, somewhere, a screen locker program that (I think) Rob
>>> wrote a few years back; I compiled it and used it successfully last
>>> year, and you could certainly stick that in your cpustart to
>>> automatically lock the screen. However, for the life of me I can't
>>> find the code right now, so maybe somebody else can point to it.
>>
>> i didn't suggest lock for cpu servers since it requires
>> rio. seems silly to run rio on the console just to lock it.
>> and unfortunately, i think this method would also interfere
>> with the serial console. and it wouldn't be immune to
>> a three-fingered salute, ^P, ^T^Tr, and other hilarity.
>>
>> since there are no interrupts on the console, it would seem
>> trivial to me to, ahem, lock down the console with a 10 line program.
>> you'd be left with defending against ^T^Tr, ^P, etc.
>> but then again, the power button or network cable is sooo
>> convienent. heck, just take the machine home. :-P.
>>
>> - erik
>>
>
>
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-08-31 15:25 ` Skip Tavakkolian
2010-08-31 18:18 ` Francisco J Ballesteros
@ 2010-08-31 20:45 ` Skip Tavakkolian
2010-09-01 4:21 ` Federico G. Benavento
` (2 more replies)
1 sibling, 3 replies; 32+ messages in thread
From: Skip Tavakkolian @ 2010-08-31 20:45 UTC (permalink / raw)
To: 9fans
see: /n/sources/contrib/steve/rc/conslock
if you have more than one cpu, change this line:
pwd=$home/lib/conslock.hash
to
pwd=$home/lib/conslock.^$sysname^.hash
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-08-31 20:45 ` Skip Tavakkolian
@ 2010-09-01 4:21 ` Federico G. Benavento
2010-09-01 4:44 ` John Floren
2010-09-01 15:11 ` erik quanstrom
2010-09-01 10:09 ` baux80
2010-09-01 10:09 ` baux80 at gmail.com
2 siblings, 2 replies; 32+ messages in thread
From: Federico G. Benavento @ 2010-09-01 4:21 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
now there's also screenlock(8)
http://plan9.bell-labs.com/magic/man2html/8/screenlock
similar to conslock, but authenticates against the auth server
On Tue, Aug 31, 2010 at 5:45 PM, Skip Tavakkolian <9nut@9netics.com> wrote:
> see: /n/sources/contrib/steve/rc/conslock
>
> if you have more than one cpu, change this line:
> pwd=$home/lib/conslock.hash
> to
> pwd=$home/lib/conslock.^$sysname^.hash
>
>
>
--
Federico G. Benavento
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 4:21 ` Federico G. Benavento
@ 2010-09-01 4:44 ` John Floren
2010-09-01 15:11 ` erik quanstrom
1 sibling, 0 replies; 32+ messages in thread
From: John Floren @ 2010-09-01 4:44 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
Don't do this under drawterm, at least not on Windows. It'll gobble
your mouse right up, or at least it did mine.
Of course, there's no reason to run this in drawterm, since your host
OS is certain to have its own screen locker...
John
On Wed, Sep 1, 2010 at 12:21 AM, Federico G. Benavento
<benavento@gmail.com> wrote:
> now there's also screenlock(8)
>
> http://plan9.bell-labs.com/magic/man2html/8/screenlock
>
> similar to conslock, but authenticates against the auth server
>
> On Tue, Aug 31, 2010 at 5:45 PM, Skip Tavakkolian <9nut@9netics.com> wrote:
>> see: /n/sources/contrib/steve/rc/conslock
>>
>> if you have more than one cpu, change this line:
>> pwd=$home/lib/conslock.hash
>> to
>> pwd=$home/lib/conslock.^$sysname^.hash
>>
>>
>>
>
>
>
> --
> Federico G. Benavento
>
>
--
"With MPI, familiarity breeds contempt. Contempt and nausea. Contempt,
nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 4:21 ` Federico G. Benavento
2010-09-01 4:44 ` John Floren
@ 2010-09-01 15:11 ` erik quanstrom
2010-09-01 16:57 ` Federico G. Benavento
1 sibling, 1 reply; 32+ messages in thread
From: erik quanstrom @ 2010-09-01 15:11 UTC (permalink / raw)
To: 9fans
On Wed Sep 1 00:23:45 EDT 2010, benavento@gmail.com wrote:
> now there's also screenlock(8)
>
> http://plan9.bell-labs.com/magic/man2html/8/screenlock
>
> similar to conslock, but authenticates against the auth server
not similar. it depends on rio.
- erik
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 15:11 ` erik quanstrom
@ 2010-09-01 16:57 ` Federico G. Benavento
2010-09-01 17:22 ` erik quanstrom
0 siblings, 1 reply; 32+ messages in thread
From: Federico G. Benavento @ 2010-09-01 16:57 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
you right, I thought conslock was rob's lock program
http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/
On Wed, Sep 1, 2010 at 12:11 PM, erik quanstrom <quanstro@quanstro.net> wrote:
> On Wed Sep 1 00:23:45 EDT 2010, benavento@gmail.com wrote:
>> now there's also screenlock(8)
>>
>> http://plan9.bell-labs.com/magic/man2html/8/screenlock
>>
>> similar to conslock, but authenticates against the auth server
>
> not similar. it depends on rio.
>
> - erik
>
>
--
Federico G. Benavento
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 16:57 ` Federico G. Benavento
@ 2010-09-01 17:22 ` erik quanstrom
2010-09-01 17:44 ` John Floren
2010-09-01 17:56 ` Federico G. Benavento
0 siblings, 2 replies; 32+ messages in thread
From: erik quanstrom @ 2010-09-01 17:22 UTC (permalink / raw)
To: benavento, 9fans
On Wed Sep 1 12:58:54 EDT 2010, benavento@gmail.com wrote:
> you right, I thought conslock was rob's lock program
>
> http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/
i hate doing this, but that depends on rio, too. the open of
/dev/screen -> error() -> exits("fatal error");
- erik
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 17:22 ` erik quanstrom
@ 2010-09-01 17:44 ` John Floren
2010-09-01 18:14 ` erik quanstrom
2010-09-01 18:24 ` frank
2010-09-01 17:56 ` Federico G. Benavento
1 sibling, 2 replies; 32+ messages in thread
From: John Floren @ 2010-09-01 17:44 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
On Wed, Sep 1, 2010 at 1:22 PM, erik quanstrom <quanstro@quanstro.net> wrote:
> On Wed Sep 1 12:58:54 EDT 2010, benavento@gmail.com wrote:
>> you right, I thought conslock was rob's lock program
>>
>> http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/
>
> i hate doing this, but that depends on rio, too. the open of
> /dev/screen -> error() -> exits("fatal error");
>
> - erik
>
>
Thus, screenlock is like rob's lock program...
rio is such a minor thing to run on today's massive machines, I'm not
sure I really see the problem in starting it on your cpu server
anyway. I frequently set them up to launch into rio because:
1. It's easier to fix things when I can cat /dev/kprint in a window
rather than have it constantly interrupting me
2. I like to be able to interrupt programs
3. It's nice to run more than one thing at once, have a graphical editor, etc.
4. Full-screen stats is pretty
Of course, none of these reasons matter to you, since you don't run
rio on your servers AND you don't think there's any reason to lock
them (I agree!), I'm just pointing out that graphical lockers and rio
in general are far from useless on a cpu server.
John
--
"With MPI, familiarity breeds contempt. Contempt and nausea. Contempt,
nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 17:44 ` John Floren
@ 2010-09-01 18:14 ` erik quanstrom
2010-09-01 18:31 ` John Floren
2010-09-01 18:24 ` frank
1 sibling, 1 reply; 32+ messages in thread
From: erik quanstrom @ 2010-09-01 18:14 UTC (permalink / raw)
To: 9fans
> rio is such a minor thing to run on today's massive machines, I'm not
> sure I really see the problem in starting it on your cpu server
> anyway. I frequently set them up to launch into rio because:
> 1. It's easier to fix things when I can cat /dev/kprint in a window
> rather than have it constantly interrupting me
> 2. I like to be able to interrupt programs
> 3. It's nice to run more than one thing at once, have a graphical editor, etc.
> 4. Full-screen stats is pretty
>
> Of course, none of these reasons matter to you, since you don't run
> rio on your servers AND you don't think there's any reason to lock
> them (I agree!), I'm just pointing out that graphical lockers and rio
> in general are far from useless on a cpu server.
i'll buy that. but i think you're missing the basic reason
that the plan 9 cpu console is so minimal. there's no
reason to use one, unless you are doing the most basic of
system maintence. and using one is not without risk.
for example
- you've got admin privs. it's easy to forget any abuse this.
- an errant ^T^Tr ^P or vulcan nerve pinch reboots the
server and not your terminal.
here are some additional reasons that rio makes life
more difficult
- the serial console is now useless; no fixing or rebooting
the machine from home
- you need a kvm port or a real keyboard/video/mouse
to fiddle with the machine even locally.
for me, the loss of the serial console alone makes
running rio on a cpu server a non starter.
the serial console has saved me a good 3-4 trips into
the office this year.
- erik
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 18:14 ` erik quanstrom
@ 2010-09-01 18:31 ` John Floren
2010-09-01 18:51 ` erik quanstrom
0 siblings, 1 reply; 32+ messages in thread
From: John Floren @ 2010-09-01 18:31 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
On Wed, Sep 1, 2010 at 2:14 PM, erik quanstrom <quanstro@quanstro.net> wrote:
>> rio is such a minor thing to run on today's massive machines, I'm not
>> sure I really see the problem in starting it on your cpu server
>> anyway. I frequently set them up to launch into rio because:
>> 1. It's easier to fix things when I can cat /dev/kprint in a window
>> rather than have it constantly interrupting me
>> 2. I like to be able to interrupt programs
>> 3. It's nice to run more than one thing at once, have a graphical editor, etc.
>> 4. Full-screen stats is pretty
>>
>> Of course, none of these reasons matter to you, since you don't run
>> rio on your servers AND you don't think there's any reason to lock
>> them (I agree!), I'm just pointing out that graphical lockers and rio
>> in general are far from useless on a cpu server.
>
> i'll buy that. but i think you're missing the basic reason
> that the plan 9 cpu console is so minimal. there's no
> reason to use one, unless you are doing the most basic of
> system maintence. and using one is not without risk.
> for example
> - you've got admin privs. it's easy to forget any abuse this.
> - an errant ^T^Tr ^P or vulcan nerve pinch reboots the
> server and not your terminal.
>
> here are some additional reasons that rio makes life
> more difficult
> - the serial console is now useless; no fixing or rebooting
> the machine from home
> - you need a kvm port or a real keyboard/video/mouse
> to fiddle with the machine even locally.
>
> for me, the loss of the serial console alone makes
> running rio on a cpu server a non starter.
> the serial console has saved me a good 3-4 trips into
> the office this year.
>
> - erik
Those are reasonable points, definitely. Since I'm usually the only
one to use my servers (except at Sandia, where I share with Ron),
abusing my admin privs isn't a big deal.
At Sandia, the cpu/auth/file server is connected to a serial
multiplexer, so I don't run rio there. At my university lab, I didn't
bother to connect a serial line or a KVM, but the server sits right
under my terminal, so I can swap the connectors around and get a
physical console if I really need one.
Sometimes there's a good reason to run rio, sometimes it's actively
counterproductive. Now that I've admitted there might be more one way
to do a thing, I should probably go put keyboard shortcuts into Acme
or something ;-)
John
--
"With MPI, familiarity breeds contempt. Contempt and nausea. Contempt,
nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 18:31 ` John Floren
@ 2010-09-01 18:51 ` erik quanstrom
2010-09-01 19:41 ` John Floren
0 siblings, 1 reply; 32+ messages in thread
From: erik quanstrom @ 2010-09-01 18:51 UTC (permalink / raw)
To: slawmaster, 9fans
> Those are reasonable points, definitely. Since I'm usually the only
> one to use my servers (except at Sandia, where I share with Ron),
> abusing my admin privs isn't a big deal.
hey, isn't that the windows security model! :-)
seriously, don't you open yourself up to more mistakes,
if you make it easy to do things as the hostowner?
- erik
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 18:51 ` erik quanstrom
@ 2010-09-01 19:41 ` John Floren
0 siblings, 0 replies; 32+ messages in thread
From: John Floren @ 2010-09-01 19:41 UTC (permalink / raw)
To: erik quanstrom; +Cc: 9fans
On Wed, Sep 1, 2010 at 2:51 PM, erik quanstrom <quanstro@quanstro.net> wrote:
>> Those are reasonable points, definitely. Since I'm usually the only
>> one to use my servers (except at Sandia, where I share with Ron),
>> abusing my admin privs isn't a big deal.
>
> hey, isn't that the windows security model! :-)
>
> seriously, don't you open yourself up to more mistakes,
> if you make it easy to do things as the hostowner?
>
> - erik
>
I don't *work* as bootes, I just set things up/fix things as bootes
when the hostowner is absolutely required.
I already put my account in the adm and sys groups, so I can get just
about as much abuse as I want without ever logging in as the
hostowner.
John
--
"With MPI, familiarity breeds contempt. Contempt and nausea. Contempt,
nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 17:44 ` John Floren
2010-09-01 18:14 ` erik quanstrom
@ 2010-09-01 18:24 ` frank
1 sibling, 0 replies; 32+ messages in thread
From: frank @ 2010-09-01 18:24 UTC (permalink / raw)
To: 9fans
On Wed, Sep 01, 2010 at 01:44:46PM -0400, John Floren wrote:
> rio is such a minor thing to run on today's massive machines, I'm not
> sure I really see the problem in starting it on your cpu server
> anyway. I frequently set them up to launch into rio because:
- When a keyboard and a mouse are attached, rio without a window
protects you a little bit from accidentally typing something
meaningfull on the keyboard (I've got kids).
- The fine grey background almost looks like my favorite screensaver
mode (blank). Of course, to wake up the monitor from time to time,
you need to have a keyboard or mouse connected... oops;-)
--
Frank Lenaerts ---------------------------------------- frank@inua.be
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 17:22 ` erik quanstrom
2010-09-01 17:44 ` John Floren
@ 2010-09-01 17:56 ` Federico G. Benavento
1 sibling, 0 replies; 32+ messages in thread
From: Federico G. Benavento @ 2010-09-01 17:56 UTC (permalink / raw)
To: erik quanstrom; +Cc: 9fans
On Wed, Sep 1, 2010 at 2:22 PM, erik quanstrom <quanstro@quanstro.net> wrote:
> On Wed Sep 1 12:58:54 EDT 2010, benavento@gmail.com wrote:
>> you right, I thought conslock was rob's lock program
>>
>> http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/
>
> i hate doing this, but that depends on rio, too. the open of
> /dev/screen -> error() -> exits("fatal error");
>
> - erik
>
exactly
--
Federico G. Benavento
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-08-31 20:45 ` Skip Tavakkolian
2010-09-01 4:21 ` Federico G. Benavento
@ 2010-09-01 10:09 ` baux80
2010-09-01 10:09 ` baux80 at gmail.com
2 siblings, 0 replies; 32+ messages in thread
From: baux80 @ 2010-09-01 10:09 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
On 31 August 2010 at 13:45, Skip Tavakkolian <9nut@9netics.com>wrote:
> see: /n/sources/contrib/steve/rc/conslock
>
> if you have more than one cpu, change this line:
> pwd=$home/lib/conslock.hash
> to
> pwd=$home/lib/conslock.^$sysname^.hash
works well! :-) If some say I'll leave cpu server in a uncontrolled place
I'll use it :-)
thanks
bye
^ permalink raw reply [flat|nested] 32+ messages in thread
* [9fans] how to lock cpu console
2010-08-31 20:45 ` Skip Tavakkolian
2010-09-01 4:21 ` Federico G. Benavento
2010-09-01 10:09 ` baux80
@ 2010-09-01 10:09 ` baux80 at gmail.com
2 siblings, 0 replies; 32+ messages in thread
From: baux80 at gmail.com @ 2010-09-01 10:09 UTC (permalink / raw)
On 31 August 2010 at 13:45, Skip Tavakkolian <9nut at 9netics.com>wrote:
> see: /n/sources/contrib/steve/rc/conslock
>
> if you have more than one cpu, change this line:
> pwd=$home/lib/conslock.hash
> to
> pwd=$home/lib/conslock.^$sysname^.hash
works well! :-) If some say I'll leave cpu server in a uncontrolled place
I'll use it :-)
thanks
bye
^ permalink raw reply [flat|nested] 32+ messages in thread
* [9fans] how to lock cpu console
2010-08-31 15:04 ` erik quanstrom
2010-08-31 15:25 ` David Leimbach
2010-08-31 15:25 ` Skip Tavakkolian
@ 2010-09-01 9:56 ` baux80 at gmail.com
2010-09-01 9:56 ` baux80
[not found] ` <E1Oqk2g-0003Ze-1W@gouda.swtch.com>
4 siblings, 0 replies; 32+ messages in thread
From: baux80 at gmail.com @ 2010-09-01 9:56 UTC (permalink / raw)
On 31 August 2010 at 11:04, erik quanstrom <quanstro at quanstro.net>wrote:
> i didn't suggest lock for cpu servers since it requires
> rio. seems silly to run rio on the console just to lock it.
> and unfortunately, i think this method would also interfere
> with the serial console. and it wouldn't be immune to
> a three-fingered salute, ^P, ^T^Tr, and other hilarity.
yeah :-) as replied to John Floren, was only a teoric question
(an I suspected the answer). For some unix server too we let the colsole
logged. In hard crash condition also the login processo don't work, and
having a console logged in is useful and doesn't take security away
> since there are no interrupts on the console, it would seem
> trivial to me to, ahem, lock down the console with a 10 line program.
> you'd be left with defending against ^T^Tr, ^P, etc.
> but then again, the power button or network cable is sooo
> convienent. heck, just take the machine home. :-P.
who care user/pass when you can pull of hard drives :-)
thanks :-)
bye
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-08-31 15:04 ` erik quanstrom
` (2 preceding siblings ...)
2010-09-01 9:56 ` baux80 at gmail.com
@ 2010-09-01 9:56 ` baux80
[not found] ` <E1Oqk2g-0003Ze-1W@gouda.swtch.com>
4 siblings, 0 replies; 32+ messages in thread
From: baux80 @ 2010-09-01 9:56 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
On 31 August 2010 at 11:04, erik quanstrom <quanstro@quanstro.net>wrote:
> i didn't suggest lock for cpu servers since it requires
> rio. seems silly to run rio on the console just to lock it.
> and unfortunately, i think this method would also interfere
> with the serial console. and it wouldn't be immune to
> a three-fingered salute, ^P, ^T^Tr, and other hilarity.
yeah :-) as replied to John Floren, was only a teoric question
(an I suspected the answer). For some unix server too we let the colsole
logged. In hard crash condition also the login processo don't work, and
having a console logged in is useful and doesn't take security away
> since there are no interrupts on the console, it would seem
> trivial to me to, ahem, lock down the console with a 10 line program.
> you'd be left with defending against ^T^Tr, ^P, etc.
> but then again, the power button or network cable is sooo
> convienent. heck, just take the machine home. :-P.
who care user/pass when you can pull of hard drives :-)
thanks :-)
bye
^ permalink raw reply [flat|nested] 32+ messages in thread
[parent not found: <E1Oqk2g-0003Ze-1W@gouda.swtch.com>]
* Re: [9fans] how to lock cpu console
[not found] ` <E1Oqk2g-0003Ze-1W@gouda.swtch.com>
@ 2010-09-01 19:14 ` Corey
2010-09-01 19:52 ` erik quanstrom
0 siblings, 1 reply; 32+ messages in thread
From: Corey @ 2010-09-01 19:14 UTC (permalink / raw)
To: 9fans
On Wednesday 01 September 2010 2:56:03 baux80@gmail.com wrote:
> > you'd be left with defending against ^T^Tr, ^P, etc.
> > but then again, the power button or network cable is sooo
> > convienent. heck, just take the machine home. :-P.
>
> who care user/pass when you can pull of hard drives :-)
>
I care - because I'm an evil hacker who wants _undetected_ ,
_long-term_ access to said machine. Stealing the machine or its
drive is neigh useless, and in fact totally counter productive.
It's like killing the goose that would otherwise be laying golden eggs
for me.
Also, a logical fallacy: Since X could sometimes be used to thwart Y, then
Y is useless in all cases.
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 19:14 ` Corey
@ 2010-09-01 19:52 ` erik quanstrom
2010-09-01 20:23 ` Corey
0 siblings, 1 reply; 32+ messages in thread
From: erik quanstrom @ 2010-09-01 19:52 UTC (permalink / raw)
To: corey, 9fans
> Also, a logical fallacy: Since X could sometimes be used to thwart Y, then
> Y is useless in all cases.
i think the correct statement of the thinking (or
at least my thinking) is
we want to assert X, but
since Y defeats X, we require !Y to assert X.
in something closer to english, the assertion is that
if one requires a secure server, you've got to have physical
security. since there are too many easy ways to circumvent
most known security measures given physical access.
i don't think this assertion has anything to say about
console locking, just that it doesn't solve the stated problem—
execepting, of course, if the data on non-volatile storage is
is encrypted and the key is lost on reboot.
- erik
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [9fans] how to lock cpu console
2010-09-01 19:52 ` erik quanstrom
@ 2010-09-01 20:23 ` Corey
0 siblings, 0 replies; 32+ messages in thread
From: Corey @ 2010-09-01 20:23 UTC (permalink / raw)
To: 9fans
On Wednesday 01 September 2010 12:52:40 erik quanstrom wrote:
> > Also, a logical fallacy: Since X could sometimes be used to thwart Y,
> > then Y is useless in all cases.
>
> i think the correct statement of the thinking (or
> at least my thinking) is
>
> we want to assert X, but
> since Y defeats X, we require !Y to assert X.
>
> in something closer to english, the assertion is that
> if one requires a secure server, you've got to have physical
> security. since there are too many easy ways to circumvent
> most known security measures given physical access.
>
> i don't think this assertion has anything to say about
> console locking, just that it doesn't solve the stated problem—
> execepting, of course, if the data on non-volatile storage is
> is encrypted and the key is lost on reboot.
>
Well, security isn't a binary state; it exists within a spectrum:
it's prudent and logical to utilize all means possible - and especially
to cover the low hanging fruit.
It could be said that a locked door is security theatre - because all
it takes is a lockpick or crowbar to circumvent. Or that a helmet
is useless, because it doesn't prevent death from blood-loss or
shock sustained from other injuries.
Console passwords are an effective and relevant _auxiliary_precaution_ ,
to be utilized in addition to the other available methods at one's
disposal - and they're such a no-brainer... it seems like more of
a questionably useful symbolic gesture to not include such a
simple mechanism right out of the box as standard ops.
BUT... that's all for me with regards to this debate - I don't want
to get into it again. (c8= I know better than to argue on 9fans. <grin>
Cheers!
Corey
^ permalink raw reply [flat|nested] 32+ messages in thread