Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]

[tom@rei.onegeek.org]

In tom.lists.debian-devel, you wrote:
> After all, with a boot prompt, the student could get root access using
> init=/bin/sh  [Oh, wait, then that would be "grave" a bug in lilo..]

Actually, not really. Lilo has two options ("restricted" and
"password=") that, used together, allow the system to be booted
without giving the user the ability to change the kernel command
line. (Making lilo unreadable by users is a must so that they can't
find out the password.)

This, combined with a bios admin password and disabling boot from
floppy and cdrom, leads to a boot sequence protected from
software-based attacks. (And it's usually possible to lock down cases
to make tampering with the hardware difficult and obvious.)

Mbr is a flaw in this scheme, and since it normally is silent, it's
occasionally hard to notice. The patch I sent to the list to add a
banner to debdiff is part of a solution... adding some comments to the
default lilo.conf mentioning how lilo interacts with mbr may be
another part.

This seems like a big gotcha that will hit fairly experienced admins
when they switch from another (non-mbr) version of Linux to Debian. 

-- 
Tom Rothamel --------- http://onegeek.org/~tom/ ---------- Using GNU/Linux
	"Students who successfully accomplish this task will be given 
	 extra credit (and a complete psychiatric examination)."
		- Andrew S. Tannenbaum, _Structured Computer Organization_