|Anyone who can physically interact with your system can tell the bootloader to bring your machine up in "single user mode", where s/he is given root privileges and everyone else is locked out of the system. This doesn't require a password on most Unix systems. The method differs with the bootloader being used, thus on each operating system revision and architecture. You can test this attack on a Linux system that uses LILO by typing "linux single" at the LILO: prompt.
Bastille can password-protect the bootprompt for you. You won't have to remember another password--single user mode, or "root" mode, will require the root password.
We HIGHLY recommend that you password protect single user mode.|