Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.

To: thomas@cuivre.fr.eu.org
Cc: Joey Hess <joeyh@debian.org>, 56821@bugs.debian.org, pb@enst.fr, sam@infres.enst.fr
Subject: Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
From: Ben Collins <bcollins@debian.org>
Date: Wed, 2 Feb 2000 13:28:23 -0500
Message-id: <[🔎] 20000202132823.I7238@visi.net>
Reply-to: Ben Collins <bcollins@debian.org>, 56821@bugs.debian.org
In-reply-to: <[🔎] 20000202185334.A5316@cuivre.fr.eu.org>; from thomas@debian.org on Wed, Feb 02, 2000 at 06:53:34PM +0100
References: <[🔎] 20000201182948.C5FD72AB3B@melchior.cuivre.fr.eu.org> <[🔎] 20000201141756.A7238@visi.net> <[🔎] 20000201225548.B29296@cuivre.fr.eu.org> <[🔎] 20000201204924.C7238@visi.net> <[🔎] 20000202030045.A31496@cuivre.fr.eu.org> <[🔎] 20000202000945.B852@kitenet.net> <[🔎] 20000202105116.G7238@visi.net> <[🔎] 20000202185334.A5316@cuivre.fr.eu.org>

On Wed, Feb 02, 2000 at 06:53:34PM +0100, Thomas Quinot wrote:
> Le 2000-02-02, Ben Collins écrivait :
> 
> > the hardware to do the same thing. Granted we can document it, but I think
> > the behavior is expected of any default system that it is possible to boot
> > from floppy.
> 
> Great. We seem to have identified one fundamental point where we
> have different opinions. I think that, on a system with default installation,
> if you disable booting from floppy in the BIOS and in LILO, then
> it is not expected behaviour that you /still/ can boot from floppy.

No, I cannot agree.

LILO and the BIOS are only two parts of the boot process. Since a) the
BIOS by default allows booting from the floppy, then using that as the
default for the MBR is not a security risk. The MBR is also a part, and
should be verified under these conditions, no matter what the default is.

If you have to change LILO and the BIOS, then changing the MBR _is_ to be
expected since it plays a part of the role (it is not excluded by any
means). If you file a bug on this, then also file one on silo, milo, and
complain loudly to your computer manufacturers (any of them that allow
this).

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`     bcollins@debian.org  --  bcollins@openldap.org  --  bmc@visi.net     '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

Reply to:

References:
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Thomas Quinot <thomas@cuivre.fr.eu.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Ben Collins <bcollins@debian.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Thomas Quinot <thomas@cuivre.fr.eu.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Ben Collins <bcollins@debian.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Thomas Quinot <thomas@cuivre.fr.eu.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Joey Hess <joeyh@debian.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Ben Collins <bcollins@debian.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Thomas Quinot <thomas@debian.org>

Prev by Date: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]
Next by Date: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]
Previous by thread: Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
Next by thread: Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
Index(es):
- Date
- Thread