Re: Preventing Single user mode booting

[Chuck Yerkes <chuck@snew.com>]

Quoting Mikael Gunnarsson (mikael@ports.se):
> 
> Unfortunately, if someone has physical access to the machine, they can
> always remove the cover and reset the BIOS..
> 
> You could always lock the machine up, or weld the case shut, tho.. :)

But in a student lab, for example, that's not subtle.  I
like the notion of removing floppies and CDs, perhaps
with one or two machines that have them for shared use?

This is the cost of using PC's as unix Workstations. They
are designed as user machines running Windows and needing
reinstalls every month or so.

The basic is to force them to use a password on single
user mode and lock the case.  A nightly "rebuild" ala
Jumpstart ain't gonna hurt anything either.

Other options?
Don't put anything on the machine - booting diskless is
possible (ok, a bit hard with PCs).  Keep /usr/ and /home/
on a server.  Swap is local.  It's be neat if BSD's had
a caching file system ala Irix/Solaris to keep NFS mounted
files cached, but it's not here.

Put the machine in another room - expose the "heads" only.

Get a couple servers, use XTerminals.  They end up requiring
almost no maintenance.  Cost of acquisition may be PC-like,
but with no disk, you don't need to do much with them other
than dust them.

This was a goal of Project Athena - workstation that were
in unsecure areas, but only bits of Athena have made it
in.  The toehold equivalents might include running mtree
on the /etc/ files before offering a new login (part of
xdm?) and keeping /usr on a truly secured server.