Re: [POSSIBLE GRAVE SECURITY HOLD]
The basic principle is that you cannot achieve full security on a
machine if untrusted people have physical access to it. Period.
That said, there are things that you can do to make it more secure in
that situation. As this situation is rare, it makes zero sense for us
to inconvenience everyone else out there because of it. Like you
said, you'll need to tie down LILO by giving it a password. You'll
need to padlock shut your computer's cases. You'll need to disable
the floppies entirely or at least disable booting from them. You'll
need to password-protect your BIOS. You may need to remove MBR.
You'll need to attach ethernet cables in such a way that they cannot
be removed. You'll need to padlock the computer to the room. You'll
need to disable Ctrl-Alt-Del. If it has an external SCSI port, you'll
need to disable that or disable SCAM.
As you can see, some of these are within our control, some are not. I
believe we should, and have, provide mechanisms to allow a box to be
secured in such a fashion. However, using them in such a fashion BY
DEFAULT is not in anyone's best interest. Note that even Sun machines
can easily be halted and the BIOS entered -- at runtime -- by anyone
sitting at the keyboard.
-- John
Samuel Tardieu <sam@debian.org> writes:
> Since apparently several Debian developers disagree on whether this issue
> is critical or not, I'd like to get input from other developers.
>
> [1] The default Debian installation installs a MBR in your disk's MBR and
> installs lilo on your / partition.
>
> [2] Even if you setup your BIOS so that users can't boot from floppy disk
> and if you secure lilo with a password, your system can still be booted
> from a floppy:
> - press shift at boot time, and Debian's MBR will give you a prompt
> 1FA:
> - then press F, and your system will boot from floppy disk, and you
> will get full root access to the hard disk
>
> The point here is that:
>
> [1] An option exists to install MBR without giving access to the floppy,
> thus closing entirely this security hole
>
> [2] No warning is given at all during the installation that this MBR
> has extra features
>
> Given that some of us (maybe all, this is not a flame, just a disagrement)
> do believe that this is an unacceptable security issue for Debian, I would
> like to get developers opinion on this.
>
> Not fixing this in Potato and not issuing an advisory and a replacement mbr
> package for past distributions makes Debian a very weak distribution.
>
> To take an analogy, what if your distribution installs a root shell freely
> available on virtual console F9 (so that it won't be easily noticed) without
> warning the system administrator by default?
>
> Sam
>
> PS/ in Pierre's case, machines were physically secured with anti-theft cables
> and monitored by video cameras, so compromising the hardware is much harder
> than pressing shift then F at boot time to gain root access
>
> Adam Di Carlo wrote, in the BTS (bug #56821):
>
> | I agree with Ben's assessment. I do not believe that the default way
> | boot-folopppies ships, that is, with flopppy booting enabled, is
> | incorrect, although I do recognize that some may wish it was not so.
> |
> | In accordandce with that wish, I have retitled and changed the
> | severity of this bug. It should be possible to skip mbr and install
> | lilo directly, disabling floppy booting (what in lilo.conf would have
> | to be changed?).
> |
> | I do not believe this is release critical, however. Moreover, I can't
> | wait until woody when hopefully we'll all be using 'grub', which
> | hopefully will be easier for us (boot-floppies maintainers) to work
> | with.
--
John Goerzen Linux, Unix consulting & programming jgoerzen@complete.org |
Developer, Debian GNU/Linux (Free powerful OS upgrade) www.debian.org |
----------------------------------------------------------------------------+
The 70,919,400th prime number is 1,419,678,413.
Reply to: