Bug#56821: marked as done (mbr allows booting from floppy; wish for option to bypass mbr)
Your message dated 02 Feb 2000 22:07:03 -0800
with message-id <87u2jqizug.fsf_-_@bittersweet.intra>
and subject line Boot floppies 2.2.6 has been uploaded. (Was: Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD])
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Darren Benham
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 1 Feb 2000 18:29:51 +0000
Received: (qmail 31314 invoked from network); 1 Feb 2000 18:29:50 -0000
Received: from melchior.enst.fr (HELO melchior.cuivre.fr.eu.org) (137.194.161.6)
by master.debian.org with SMTP; 1 Feb 2000 18:29:50 -0000
Received: by melchior.cuivre.fr.eu.org (Postfix, from userid 1000)
id C5FD72AB3B; Tue, 1 Feb 2000 19:29:48 +0100 (CET)
From: Thomas Quinot <thomas@cuivre.fr.eu.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Important security hole: mbr allows anyone to boot from a floppy.
X-Reportbug-Version: 0.48
X-Mailer: reportbug 0.48
Date: Tue, 01 Feb 2000 19:29:48 +0100
Message-Id: <[🔎] 20000201182948.C5FD72AB3B@melchior.cuivre.fr.eu.org>
Package: boot-floppies
Version: 2.2.5
Severity: critical
During installation, boot-floppies set up a MBR using /sbin/install-mbr.
The installed mbr allows user to boot from a floppy by pressing any
key, then typing "F" at the prompt. Any password protection or
boot restriction defined in lilo.conf can thus be bypassed. There
should be prominent warnings in the installation procedure to
inform administrators that choosing the default choice for MBR
installation (which is to use /sbin/install-mbr) grants root privileges
to all users with access to the console.
This is a very serious security problems; several machines at this
site have been compromised at this site because of it. This report
is therefore graded "critical" and will be forwarded to debian-security.
-- System Information
Debian Release: potato
Architecture: i386
Kernel: Linux melchior 2.2.13 #1 mer nov 3 16:09:02 CET 1999 i586
---------------------------------------
Received: (at 56821-done) by bugs.debian.org; 3 Feb 2000 06:07:13 +0000
Received: (qmail 5227 invoked from network); 3 Feb 2000 06:07:10 -0000
Received: from bittersweet.inetarena.com (root@209.102.107.172)
by master.debian.org with SMTP; 3 Feb 2000 06:07:10 -0000
Received: (from karlheg@localhost)
by bittersweet.inetarena.com (8.9.3/8.9.3/Debian 8.9.3-6) id WAA30855;
Wed, 2 Feb 2000 22:07:04 -0800
Sender: karlheg@bittersweet.inetarena.com
To: 56821-done@bugs.debian.org
Cc: John Goerzen <jgoerzen@complete.org>, Pierre Beyssac <beyssac@enst.fr>,
Samuel Tardieu <sam@debian.org>, Adam Di Carlo <adam@onshore.com>,
"Huneycutt, Doug" <doug.huneycutt@lmco.com>, pb@enst.fr,
quinot@enst.fr, debian-devel@lists.debian.org
Subject: Boot floppies 2.2.6 has been uploaded. (Was: Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD])
References: <[🔎] 2000-02-02-11-38-12+trackit+sam@debian.org> <[🔎] 87vh47k3v1.fsf@erwin.complete.org> <[🔎] 20000202175255.E50448@enst.fr> <[🔎] 873drby1na.fsf@erwin.complete.org> <[🔎] 20000202181855.H50448@enst.fr> <[🔎] 87n1pjy0qs.fsf@erwin.complete.org> <[🔎] 20000202184944.K50448@enst.fr> <[🔎] 87ya93h467.fsf@erwin.complete.org>
X-Face: /Q}=yl}1_v7nP)xXo5XjG8+tl@=uVu7o5u6)f]zN?+<hB!K.m9:[|*p34jVN`O;:XZXVSy>/\R>qDt(t8w!-i{(y0"`jFw^uk8inzO9wXabd'CdjUWfC\GHi:6nO*YC89#-qD>Q4r%9!V"<RYJ=7D#$";q=zML5'!=wvXk^$`6FT=5CMofQX)WUKt0p:OKl.mFOXx/D
From: karlheg@bittersweet.inetarena.com (Karl M. Hegbloom)
In-Reply-To: John Goerzen's message of "02 Feb 2000 12:04:16 -0600"
Mime-Version: 1.0 (generated by tm-edit 1.5)
Content-Type: text/plain; charset=US-ASCII
Date: 02 Feb 2000 22:07:03 -0800
Message-ID: <87u2jqizug.fsf_-_@bittersweet.intra>
Lines: 76
X-Mailer: Gnus v5.6.45/XEmacs 21.2 - "Hera"
Boot floppies 2.2.6 has been uploaded.
Starting with this version of `boot-floppies', `install-mbr' is run
with `--interrupt n', so that it is not interruptable during boot;
that is, holding shift will NOT display the MBR menu; it should
behave just like a standard MBR. At local option, that functionality
may be enabled by the system administrator, via the `install-mbr'
command.
You will find that `install-mbr --help' displays the following:
Usage: install-mbr [options] <target>
Options:
-f, --force Override some sanity checks.
-I <path>, --install <path> Install code from the specified file.
-k, --keep Keep the current code in the MBR.
-l, --list Just list the parameters.
-n, --no-act Don't install anything.
-o <offset>, --offset <offset> Install the MBR at byte offset <offset>.
-P <path>, --parameters <path> Get parameters from <path>.
-r, --reset Reset the parameters to the default state.
-T <path>, --table <path> Get partition table from <path>.
-v, --verbose Operate verbosely.
-V, --version Show version.
-h, --help Display this message.
Parameters:
-d <drive>, --drive <drive> Set BIOS drive number.
-e <option>, --enable <option> Select enabled boot option.
-i <mode>, --interrupt <keys> Set interrupt mode. (a/c/s/cs/n)
-p <partn>, --partition <partn> Set boot partition (0=whole disk).
-t <timeout>, --timeout <timeout> Set the timeout in 1/18 second.
Interrupt modes:
's'=Interrupt if shift or ctrl is pressed.
'k'=Interrupt if other key pressed.
'a'=Interrupt always.
'n'=Interrupt never.
Boot options:
'1','2','3' or '4' - Partition 1,2,3 or 4.
'F' - 1st floppy drive.
'A' - Advanced mode.
Report bugs to neilt@chiark.greenend.org.uk
From `dbootstrap' (the familiar Debian installer program on the
rescue floppy) right after opting to install `mbr', a message dialog
will be displayed (unless the "quiet" bootarg was given) with the
following to say:
----------------------------------------------------------------------
Important Information about the installed MBR
The master boot record program that was just installed supports
several advanced options that have not been enabled by default.
The installed configuration will cause it to behave just like a
standard MBR. For information about the advanced features
supported by the mbr, please read the 'install-mbr' manual page.
----------------------------------------------------------------------
I have verified that the `install-mbr' man page is installed with the
base system. It will be available for reading after the standard
`man-db' setup is in place.
We hope that this will be sufficient grounds for closing bug #56821.
Karl M. Hegbloom <karlheg@debian.org>, on behalf of the `debian-boot'
team.
PS.
It has been brought up that _perhaps_ for `woody', an `mbr' and
`lilo' configuration widget can be added to `dbootstrap', allowing
one to enable and configure the advanced `mbr' functionality, and
even Lilo/Grub password access control features during installation.
Reply to: