Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]

[Michel LESPINASSE <walken@windriver.com>]

First of all, I have to say that I don't like our mbr package. I would
really prefer if we installed a standard mbr, i.e. one that simply boots
the first partition that has the "bootable" flag, as any standard mbr
does. Our mbr is only creating confusion for the person who types shift to
get the lilo prompt, and then gets a different prompt and wonders what
happened.

However, I think Thomas is wrong to blame mbr and debian for his security
breach...

On Wed, 2 Feb 2000, Thomas Quinot wrote:
> Le 2000-02-02, Ruud de Rooij écrivait :
> > I do agree, however, that it is not a security hole. If someone wants
> > to make the console secure, they would have to modify lilo.conf
> > anyway, and so could change the boot= line as well.

> I feel this behaviour is a security concern, because it opens a path
> for root compromission in an obscure, non-standard, non-documented way.

The common wisdom among all sysadmins that I know is that you can not
secure a machine agains intruders who have physical access to it. It is
very standard and documented.

The attacks on the boot mechanism are the most obvious ones, too.

> I am amazed by Debian developers seriously writing that "this is not a
> security concern", since we have had evidence of this hole being
> actively exploited. Undue root access /has been/ obtained because of
> this problem; we are not speaking of a potential security breach here,
> but of real sensitive data that have been compromised.

People are writing this because they believe in the unix mantra that says
that you cant protect publically accessible systems. I think that your
breach only confirms this.

If you want security, you should not trust the guardians, which are
probably underpaid anyway and don't know much about computers. You could
configure things so that the other hosts on the network don't trust the
publicly accessible machines. You should not have sensitive data on them,
except possibly on an encrypted FS that needs a password typed to be
mounted, but even this solution is not very secure because people with
physical access to your keyboard could easily install a physical sniffer
device somewhere.

If you only need to be "relatively secure" (whatever that is), then you
need a combination of one or several measures : adding the correct boot=
line in your lilo.conf, disabling ctrl-alt-del, telling the guardians to
be suspect of people carrying floppy disks, disable the floppy drive, ...
But you will never have "real security" this way. If you want security,
you have to bite the bullet and make it so that the public host can not
access any sensitive data on your network.

An alternative solution is to have the guardian identify your users when
they get to the machine room, and hold them accountable to their actions.

> Sure, if Debian is not willing to fix the system, we'll go and fix our
> boxen ourselves. But for installing new machines, we will have no choice
> but to evict it from our list of possible operating environments
> whenever any level of reasonable security is a requirement.

The security model that you aimed for is easily accessible by just adding
the correct boot= line in your lilo.conf. So the justification for
switching from debian to something else seems dubious... (and I feel that
debian is doing a good job on security compared to other distros).

I would be very tempted to mock you for your "I wont use your software if
you dont agree with me" argument if you were not a debian developper
yourself :)

That said, I must add that I still dont see the point of the boot
partition choice in the mbr package.

--
Michel "Walken" LESPINASSE - Development Engineer at Wind River Systems
"We've all heard that a million monkeys banging on a million typewriters
 will eventually reproduce the entire works of Shakespeare.
 Now, thanks to the Internet, we know this is not true."