[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]



Since apparently several Debian developers disagree on whether this issue
is critical or not, I'd like to get input from other developers.

  [1] The default Debian installation installs a MBR in your disk's MBR and
      installs lilo on your / partition.

  [2] Even if you setup your BIOS so that users can't boot from floppy disk
      and if you secure lilo with a password, your system can still be booted
      from a floppy:
         - press shift at boot time, and Debian's MBR will give you a prompt
           1FA:
         - then press F, and your system will boot from floppy disk, and you
           will get full root access to the hard disk

The point here is that:

  [1] An option exists to install MBR without giving access to the floppy,
      thus closing entirely this security hole

  [2] No warning is given at all during the installation that this MBR
      has extra features

Given that some of us (maybe all, this is not a flame, just a disagrement)
do believe that this is an unacceptable security issue for Debian, I would
like to get developers opinion on this.

Not fixing this in Potato and not issuing an advisory and a replacement mbr
package for past distributions makes Debian a very weak distribution.

To take an analogy, what if your distribution installs a root shell freely
available on virtual console F9 (so that it won't be easily noticed) without
warning the system administrator by default?

  Sam

PS/ in Pierre's case, machines were physically secured with anti-theft cables
    and monitored by video cameras, so compromising the hardware is much harder
    than pressing shift then F at boot time to gain root access

Adam Di Carlo wrote, in the BTS (bug #56821):

| I agree with Ben's assessment.  I do not believe that the default way
| boot-folopppies ships, that is, with flopppy booting enabled, is
| incorrect, although I do recognize that some may wish it was not so.
| 
| In accordandce with that wish, I have retitled and changed the
| severity of this bug.  It should be possible to skip mbr and install
| lilo directly, disabling floppy booting (what in lilo.conf would have
| to be changed?).
| 
| I do not believe this is release critical, however.  Moreover, I can't
| wait until woody when hopefully we'll all be using 'grub', which
| hopefully will be easier for us (boot-floppies maintainers) to work
| with.

Attachment: pgpADwINa5pvA.pgp
Description: PGP signature


Reply to: