Re: [POSSIBLE GRAVE SECURITY HOLD]
- To: John Goerzen <jgoerzen@complete.org>
- Cc: Samuel Tardieu <sam@debian.org>, Adam Di Carlo <adam@onshore.com>, "Huneycutt, Doug" <doug.huneycutt@lmco.com>, 56821@bugs.debian.org, pb@enst.fr, quinot@enst.fr, debian-devel@lists.debian.org
- Subject: Re: [POSSIBLE GRAVE SECURITY HOLD]
- From: Thomas Quinot <quinot@email.enst.fr>
- Date: Wed, 2 Feb 2000 17:03:09 +0100
- Message-id: <20000202170309.A29101@lantier.enst.fr>
- Reply-to: quinot@infres.enst.fr
- In-reply-to: <87vh47k3v1.fsf@erwin.complete.org>; from jgoerzen@complete.org on Wed, Feb 02, 2000 at 09:42:42AM -0600
- References: <2000-02-02-11-38-12+trackit+sam@debian.org> <87vh47k3v1.fsf@erwin.complete.org>
Le 2000-02-02, John Goerzen écrivait :
> That said, there are things that you can do to make it more secure in
True.
> said, you'll need to tie down LILO by giving it a password. You'll
> need to padlock shut your computer's cases. You'll need to disable
> the floppies entirely or at least disable booting from them. You'll
> need to password-protect your BIOS.
We already do all of these.
> You may need to remove MBR.
And here is the problem:
The MBR used by Debian by default allows any user to boot from
floppy. No other PC MBR does that. This behaviour is documented
nowhere.
One possible solution to the problem as we resent it is mere documentation.
Do you find it an inacceptable burden for users to BE INFORMED that
the default setup will unconditionnally allow booting from a floppy
disk?
> DEFAULT is not in anyone's best interest. Note that even Sun machines
> can easily be halted and the BIOS entered -- at runtime -- by anyone
> sitting at the keyboard.
Anyone sitting at they keyboard who possesses the PROM password.
Thomas.
Reply to: