On Wed, Feb 1, 2012 at 12:28 PM, Yasha Karant <[log in to unmask]> wrote:
> On 02/01/2012 09:03 AM, Konstantin Olchanski wrote:
>>
>> On Wed, Feb 01, 2012 at 08:47:28AM -0800, Yasha Karant wrote:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=636628
>
> [snip]
>
>> Anyone with physical access to the machine can walk away with your disks,
>> or boot their own OS from a USB disk or from the network, and have root
>> access
>> to all files without having to get root access. So you can safely assume
>> that for unfriendly purposes, having physical access is the same as
>> knowing
>> the root password.
>>
>
> It is my understanding that if the BIOS on a standard IA-32 or X86-64
> machine is protected by a boot password, then there is no access to the boot
> procedure of the BIOS and thus the media you suggest cannot be booted unless
> these are in BIOS boot order preceding the physical internal hard drive.
>
> Am I an in error?

You're mistaken. It's a common practice in university environments or
corporate environments to issue hardware with such a BIOS password
set, to avoid precisely the kind of local boot order manipulation or
live CD manipulation folks describe, and especially to protect the
administrative password setting. But it's not a default on any of the
hundreds of motherboards I've seen in my career.

Now, if you wait a few years for UEFI to become commonplace as the new
replacement for BIOS, we may run headlong into this. UEFI "secure
boot" is designed to lock down boot processes and is likely to
interfere profoundly with Linux installation.