Re: [POSSIBLE GRAVE SECURITY HOLD]
On Wed, 2 Feb 2000, Martijn van Oosterhout wrote:
>Samuel Tardieu wrote:
>> Since apparently several Debian developers disagree on whether this issue
>> is critical or not, I'd like to get input from other developers.
>>  The default Debian installation installs a MBR in your disk's MBR and
>> installs lilo on your / partition.
>>  Even if you setup your BIOS so that users can't boot from floppy disk
>> and if you secure lilo with a password, your system can still be booted
>> from a floppy:
>> - press shift at boot time, and Debian's MBR will give you a prompt
>> - then press F, and your system will boot from floppy disk, and you
>> will get full root access to the hard disk
If you're that paranoid about someone booting from a floppy you shouldn't
have a floppy drive in the machine. force the cracker to open the machine
and install one. maybe "rm /dev/fd*" would do it. If someone can do this
without you noticing then they can probably take the hdd out or steal the
>> To take an analogy, what if your distribution installs a root shell
>> available on virtual console F9 (so that it won't be easily noticed)
>> warning the system administrator by default?
this is hardly an analogy. any novice logged into the machine from
anywhere can see a shell running on tty9 from ps and wonder whats going
>OTOH, if you have physical access to the machine is there really any