Re: Bug#788634: debian-installer: Accepting a preseed URL from DHCP allows attacker to hijack installation
On Sun, Jun 14, 2015 at 04:48:20PM +0200, Geert Stappers wrote:
> control: tag -1 mordac
> > I don't think handwaving and tagging wontfix is the right play here.
> >
>
> Now tagging with 'mordac'. For those new to Mordac, get a
> first impression at http://dilbert.com/strip/2007-11-16
> And http://dilbert.com/search_results?terms=Mordac for a complete overview
> of Mordac, the preventer of information services.
>
>
>
> In other words:
>
> How to cope with nonsense like "security is more important than usability"?
It's not nonsense.
Yes, if you boot off PXE, then it's fine if the network contains
preseeding data. After all, you booted off PXE, so either your network
is fine (and nothing to worry about) or it isn't (and then using a
preseeding file off the network isn't going to make matters much worse,
since you've already *booted* untrusted code).
But if you boot off CD-ROM or USB or some such? Then the situation is
much different. While I agree that having preseeding in that case can be
useful, I can also understand the POV that the system *defaulting* to
using such a preseed file is a bad idea.
Let's say you buy a new laptop, take it out of the packaging while on
the train home, pop in a USB stick with d-i on it, and boot. Somewhere
on the way home, your train waits in a train station for a few minutes,
during which time it picks up the wireless connection and does DHCP
there. Should it trust any preseeding data that it got from that
connection?
I don't think so, but currently this *does* happen.
--
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Reply to: