Re: [POSSIBLE GRAVE SECURITY HOLD]

[Thomas Quinot <thomas@debian.org>]

Le 2000-02-02, Ruud de Rooij écrivait :

> I do agree, however, that it is not a security hole.  If someone wants 
> to make the console secure, they would have to modify lilo.conf
> anyway, and so could change the boot= line as well.

I feel this behaviour is a security concern, because it opens
a path for root compromission in an obscure, non-standard, non-documented
way. It is very unfortunate that, when installed using default settings,
all floppy boot restrictions can be bypassed on a Debian system, even when
the administrator takes the usual required step consisting in physically
securing the machine's enclosure, disabling floppy boot in the BIOS,
and properly configuring LILO. Introducing one more layer in system startup
is unnecessary, and considering that this layer as configured at system
installation, grants every user root access, /very/ unfortunate.

I am amazed by Debian developers seriously writing that "this is not
a security concern", since we have had evidence of this hole being
actively exploited. Undue root access /has been/ obtained because of
this problem; we are not speaking of a potential security breach here,
but of real sensitive data that have been compromised.

Sure, if Debian is not willing to fix the system, we'll go and fix
our boxen ourselves. But for installing new machines, we will have no
choice but to evict it from our list of possible operating environments
whenever any level of reasonable security is a requirement.

Thomas.

-- 
    Thomas.Quinot@Cuivre.FR.EU.ORG