[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#56821: Important security hole: mbr allows anyone to boot from a floppy.

> I would be /very/ interested if you could elaborate on this point.

If your debian partition is not marked as "default bootable" it doesn't show
up on the first set of numbers. You have to press A to get to the second
set, which lists all partitions.

> Hum, to my reading of the mbr source code, this would defeat the
> whole purpose of the 'A' mode, which consists in allowing boot
> from disabled partitions.

well, it'll still let you boot from disabled partitions, just not from floppy.

> I would also be most interested in learning why it is not possible
> to fix this problem simply by displaying prominent warnings in
> the installation procedure that the user must manually overwrite
> the MBR, in addition to the normal BIOS and LILO setup, if he
> wants to prevent boot from floppy disks by unauthorized users.

it's possible. in fact i have been working since before this discussion
started on improving the prompts. I think it should be clear from my
previous messages that I think the argumentative portions of this discussion
from all parties concerned is quite pointless and destructive. As others
have pointed out, the default lilo installation is equally insecure, and
we've had that (as well as the mbr install) forever. If you'd like to
suggest the wording that will make it satisfy your concerns, i'll make sure
they get into dbootstrap.

Debian Developer <tausq@debian.org>

Reply to: