newby

[Dan Young]

Simon Ruiz wrote:
> So you mean there's a simple way for any user, any student, to get
> root access to our machines?

Simon,

Physical access to a machine trumps many software security provisions.

Having said that, you can edit the GRUB menu (/boot/grub/menu.lst ?) to
lock the "rescue" (single-user) option with a password to prevent editing:

http://www.gnu.org/software/grub/manual/html_node/Security.html

You'd also need to set the BIOS to boot from the hard disk first and add
a BIOS password to prevent booting from a Live CD. Then physically lock
the case to prevent resetting the NVRAM.

If the attackers bring in bolt cutters, you bring in a LART. He sends
one of yours to the hospital, you send one of his to the morgue. That's
the Chicago way... Oh, wait, forget that last part.

-- 
Dan Young <dyoung at mesd.k12.or.us>
Multnomah ESD - Technology Services
503-257-1562