Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.

[Pierre Beyssac <beyssac@enst.fr>]

Randolph,

On Tue, Feb 01, 2000 at 08:25:03PM -0700, Randolph Chung wrote:
> instead of you all starting another flamewar^H^H^H^H^H^H^H^H^Hdiscussion, we
> are going to try to install the mbr with the floppy option turned off....
> (install-mbr --enable -F)

Thanks for your answer, that's a solution I like better than "you
should've read the docs we didn't write and the warnings we didn't
provide" :-)

> This bug will be closed with the next boot floppies upload. If you have
> other constructive concerns/suggestions, please let us know.

I think the "install-mbr --enable -F" is not enough, far from it:
what if there's a CDROM on the machine and a way to boot it? How
many unknown and dangerous "features" are still in this MBR?

Here are the points I would like addressed before the problem report
can be closed:

1) fixing the problem for future distributions

This MBR should be replaced in the install with a barebones MBR.

	Reason: the last place where I expect creeping featurism
	is in a MBR.

or alternatively (my second choice if you ask me), there should be
a PROMINENT warning during the installation that this MBR is
extremely dangerous, and why it is.

	Reason: right now, the installation just leaves the choice
	between installing a MBR and leaving the previous MBR.

Furthermore, it would be a good thing to add a choice in the
installation to install just LILO as the MBR. This fixed the problem
for me. Currently AFAICT LILO is configured on /dev/hda1 or
equivalent, not /dev/hda (this is how I fixed the hole, by the
way).

2) issuing a security advisory regarding past distributions (at
   least 2.0 and 2.1), and issuing a recommended update for these
   distributions.

	Reason: Many sites are probably vulnerable and unaware of
	this because they trusted the default installation.
-- 
Pierre Beyssac		pb@enst.fr