[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.

retitle 56821 mbr allows booting from floppy; wish for option to bypass mbr
severity 56821 wishlist
thanks

Ben Collins <bcollins@debian.org> writes:
> Security minded persons should not depend on things being setup for
> "their" site out of the box. Hence, it is his fault for not checking that
> in the first place. On top of that, given that it is configurable, it is a
> simple change and then rerun lilo to disallow it.

I agree with Ben's assessment.  I do not believe that the default way
boot-folopppies ships, that is, with flopppy booting enabled, is
incorrect, although I do recognize that some may wish it was not so.

In accordandce with that wish, I have retitled and changed the
severity of this bug.  It should be possible to skip mbr and install
lilo directly, disabling floppy booting (what in lilo.conf would have
to be changed?).

I do not believe this is release critical, however.  Moreover, I can't
wait until woody when hopefully we'll all be using 'grub', which
hopefully will be easier for us (boot-floppies maintainers) to work
with.


-- 
.....Adam Di Carlo....adam@onShore.com.....<URL:http://www.onShore.com/>
Reply to: