[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]



On Wed, Feb 02, 2000 at 02:37:38PM -0600, David Starner wrote:
> On Wed, Feb 02, 2000 at 06:49:44PM +0100, Pierre Beyssac wrote:
> > Fact: there are many systems vulnerable due to this bug. Why no
> > official advisory? Does it improve system usability? Or maybe
> > does it just improve _perceived_ system usability?
> 
> Why do you say that there are many systems vulnerable due to this
> bug? You're talking about a situation where untrusted users are 

I agree with Pierre, there are lots of Linux machines with semi-free
access to potentially malicious users. Linux is used in Universities
and similar places where you really can't trust all users. I don't
work at the University any more, but if I did I would be very annoyed
to discover I need to reinstall all publicly accessible machines
because I can not be certain they have not been tampered with. 

There are even public libraries here with publicly accessible
computers, they have all the usual stuff with BIOS passwords, BIOS not
booting from floppy or CD-ROM etc. Together with a colleque, we tried
to figure out how to break into them, but they really were securely
configured, only opening the box and setting a jumper to reset the
BIOS would have worked. But with Debian GNU/Linux on them, it would
have been possible to boot from floppy. I assume that since I did not
know about this feature-rich MBR Debian uses, neither would the system
admins at the library. 

By the way, the machines I have installed have been secure, but purely
by accident. I always modify /etc/lilo.conf to read boot=/dev/sda,
that is not a partition but the disk device. This is because I put the
swap as first partition, and could not understand how booting would
work with lilo installed at /dev/sda2 only. This thread has been
useful in teaching me how things really work.

> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-boot-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Tapio Lehtonen
Tapio.Lehtonen@IKI.FI
PGP public key from http://www.iki.fi/Tapio.Lehtonen

Attachment: pgpiEyAQVJQ8z.pgp
Description: PGP signature


Reply to: