Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.

To: Thomas Quinot <thomas@cuivre.fr.eu.org>
Cc: 56821@bugs.debian.org
Subject: Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
From: Randolph Chung <tausq@debian.org>
Date: Wed, 2 Feb 2000 18:39:59 -0700
Message-id: <[🔎] 20000202183959.E1870@tausq.org>
Reply-to: Randolph Chung <tausq@debian.org>, 56821@bugs.debian.org
In-reply-to: <[🔎] 20000202153008.A3953@cuivre.fr.eu.org>; from thomas@cuivre.fr.eu.org on Wed, Feb 02, 2000 at 03:30:08PM +0100
References: <[🔎] 20000201182948.C5FD72AB3B@melchior.cuivre.fr.eu.org> <[🔎] 20000201141756.A7238@visi.net> <[🔎] 20000201225548.B29296@cuivre.fr.eu.org> <[🔎] 20000201204924.C7238@visi.net> <[🔎] 20000202030045.A31496@cuivre.fr.eu.org> <[🔎] 20000201202503.L22865@tausq.org> <[🔎] 20000202124508.A3178@cuivre.fr.eu.org> <[🔎] 20000202072851.C1870@tausq.org> <[🔎] 20000202153008.A3953@cuivre.fr.eu.org>

> I would be /very/ interested if you could elaborate on this point.

If your debian partition is not marked as "default bootable" it doesn't show
up on the first set of numbers. You have to press A to get to the second
set, which lists all partitions.

> Hum, to my reading of the mbr source code, this would defeat the
> whole purpose of the 'A' mode, which consists in allowing boot
> from disabled partitions.

well, it'll still let you boot from disabled partitions, just not from floppy.

> I would also be most interested in learning why it is not possible
> to fix this problem simply by displaying prominent warnings in
> the installation procedure that the user must manually overwrite
> the MBR, in addition to the normal BIOS and LILO setup, if he
> wants to prevent boot from floppy disks by unauthorized users.

it's possible. in fact i have been working since before this discussion
started on improving the prompts. I think it should be clear from my
previous messages that I think the argumentative portions of this discussion
from all parties concerned is quite pointless and destructive. As others
have pointed out, the default lilo installation is equally insecure, and
we've had that (as well as the mbr install) forever. If you'd like to
suggest the wording that will make it satisfy your concerns, i'll make sure
they get into dbootstrap.

randolph
-- 
Debian Developer <tausq@debian.org>
http://www.TauSq.org/

Reply to:

References:
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Thomas Quinot <thomas@cuivre.fr.eu.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Ben Collins <bcollins@debian.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Thomas Quinot <thomas@cuivre.fr.eu.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Ben Collins <bcollins@debian.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Thomas Quinot <thomas@cuivre.fr.eu.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Randolph Chung <tausq@debian.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Thomas Quinot <thomas@debian.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Randolph Chung <tausq@debian.org>
- Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
  - From: Thomas Quinot <thomas@cuivre.fr.eu.org>

Prev by Date: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]
Next by Date: win32 http server
Previous by thread: Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
Next by thread: Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.
Index(es):
- Date
- Thread