Since apparently several Debian developers disagree on whether this issue is critical or not, I'd like to get input from other developers. [1] The default Debian installation installs a MBR in your disk's MBR and installs lilo on your / partition. [2] Even if you setup your BIOS so that users can't boot from floppy disk and if you secure lilo with a password, your system can still be booted from a floppy: - press shift at boot time, and Debian's MBR will give you a prompt 1FA: - then press F, and your system will boot from floppy disk, and you will get full root access to the hard disk The point here is that: [1] An option exists to install MBR without giving access to the floppy, thus closing entirely this security hole [2] No warning is given at all during the installation that this MBR has extra features Given that some of us (maybe all, this is not a flame, just a disagrement) do believe that this is an unacceptable security issue for Debian, I would like to get developers opinion on this. Not fixing this in Potato and not issuing an advisory and a replacement mbr package for past distributions makes Debian a very weak distribution. To take an analogy, what if your distribution installs a root shell freely available on virtual console F9 (so that it won't be easily noticed) without warning the system administrator by default? Sam PS/ in Pierre's case, machines were physically secured with anti-theft cables and monitored by video cameras, so compromising the hardware is much harder than pressing shift then F at boot time to gain root access Adam Di Carlo wrote, in the BTS (bug #56821): | I agree with Ben's assessment. I do not believe that the default way | boot-folopppies ships, that is, with flopppy booting enabled, is | incorrect, although I do recognize that some may wish it was not so. | | In accordandce with that wish, I have retitled and changed the | severity of this bug. It should be possible to skip mbr and install | lilo directly, disabling floppy booting (what in lilo.conf would have | to be changed?). | | I do not believe this is release critical, however. Moreover, I can't | wait until woody when hopefully we'll all be using 'grub', which | hopefully will be easier for us (boot-floppies maintainers) to work | with.
Attachment:
pgpQRE5ihNUTe.pgp
Description: PGP signature