[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Wed, 2 Feb 2000, Martijn van Oosterhout wrote:

>Samuel Tardieu wrote:
>> Since apparently several Debian developers disagree on whether this issue
>> is critical or not, I'd like to get input from other developers.
>>   [1] The default Debian installation installs a MBR in your disk's MBR and
>>       installs lilo on your / partition.
>>   [2] Even if you setup your BIOS so that users can't boot from floppy disk
>>       and if you secure lilo with a password, your system can still be booted
>>       from a floppy:
>>          - press shift at boot time, and Debian's MBR will give you a prompt
>>            1FA:
>>          - then press F, and your system will boot from floppy disk, and you
>>            will get full root access to the hard disk

If you're that paranoid about someone booting from a floppy you shouldn't
have a floppy drive in the machine. force the cracker to open the machine
and install one. maybe "rm /dev/fd*" would do it. If someone can do this
without you noticing then they can probably take the hdd out or steal the
whole machine.

>> To take an analogy, what if your distribution installs a root shell
>> available on virtual console F9 (so that it won't be easily noticed)
>> warning the system administrator by default?

this is hardly an analogy. any novice logged into the machine from
anywhere can see a shell running on tty9 from ps and wonder whats going

>OTOH, if you have physical access to the machine is there really any


Reply to: