Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
From: Thomas Quinot <thomas@cuivre.fr.eu.org>
Date: Tue, 01 Feb 2000 19:29:48 +0100
Message-id: <[🔎] 20000201182948.C5FD72AB3B@melchior.cuivre.fr.eu.org>
Reply-to: Thomas Quinot <thomas@cuivre.fr.eu.org>, 56821@bugs.debian.org

Package: boot-floppies
Version: 2.2.5
Severity: critical

During installation, boot-floppies set up a MBR using /sbin/install-mbr.
The installed mbr allows user to boot from a floppy by pressing any
key, then typing "F" at the prompt. Any password protection or
boot restriction defined in lilo.conf can thus be bypassed. There
should be prominent warnings in the installation procedure to
inform administrators that choosing the default choice for MBR
installation (which is to use /sbin/install-mbr) grants root privileges
to all users with access to the console.

This is a very serious security problems; several machines at this
site have been compromised at this site because of it. This report
is therefore graded "critical" and will be forwarded to debian-security.

-- System Information
Debian Release: potato
Architecture: i386
Kernel: Linux melchior 2.2.13 #1 mer nov 3 16:09:02 CET 1999 i586

Reply to:

Follow-Ups:
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Ben Collins <bcollins@debian.org>
- Re: Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Tapio Lehtonen <tale@iki.fi>
- Bug#56821: marked as done (mbr allows booting from floppy; wish for option to bypass mbr)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: bf 2.2.5 install
Next by Date: Bug#48866: Time-Zone still wrong
Previous by thread: Re: bf 2.2.5 install
Next by thread: Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
Index(es):
- Date
- Thread