Chris G wrote:
Not entirely trivial - I have the boot order password-protected in the BIOS. The sunk cost I'd put into achieving that is partly why it came as such a shock to find grub behaving like this.
Presumably all that's needed to circumvent that though is to reset the BIOS isn't it?
That isn't always true, bios passwords don't always get reset by using the clear cmos jumpers etc, although in those cases there is usually a way of doing it but it may require a lot of effort (some IBM kit for example needs a new flash chip, or at least access to a programmer to modify the old one)
In any case a lid lock would make resetting the bios that all the bit harder if you were concerned, most cases have the ability to do this via a little tab on the back which you can pop a padlock through. Tin snips would circumvent most of them but it's all about adding barriers. Also at the point someone is going inside the machine and moving the clear cmos jumper they may as well just pull the drives and plug them into something else.
The real solution when this is a concern is to use the purpose built computer safes if the machine room isn't secure. You can get tower sized total enclosure ones that would prevent physical tampering including plugging in/inserting removable media and once bolted to a concrete floor with good capture bolts would make removal/theft of the machine pretty difficult (or at least very noisy). We have a client where use of these on a database server is enforced by a regulatory body.
I suspect that Dan's concern may not fall into the realms where such things are justified as I am guessing his aim was to stop inquisitive tampering rather than a full scale attempt at data theft, otherwise the box would already be physically secure.