[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Wed, Feb 02, 2000 at 11:38:12AM +0100, Samuel Tardieu wrote:
> Since apparently several Debian developers disagree on whether this issue
> is critical or not, I'd like to get input from other developers.
>   [1] The default Debian installation installs a MBR in your disk's MBR and
>       installs lilo on your / partition.
>   [2] Even if you setup your BIOS so that users can't boot from floppy disk
>       and if you secure lilo with a password, your system can still be booted
>       from a floppy:
>          - press shift at boot time, and Debian's MBR will give you a prompt
>            1FA:
>          - then press F, and your system will boot from floppy disk, and you
>            will get full root access to the hard disk
> The point here is that:
>   [1] An option exists to install MBR without giving access to the floppy,
>       thus closing entirely this security hole
>   [2] No warning is given at all during the installation that this MBR
>       has extra features
> Given that some of us (maybe all, this is not a flame, just a disagrement)
> do believe that this is an unacceptable security issue for Debian, I would
> like to get developers opinion on this.
> Not fixing this in Potato and not issuing an advisory and a replacement mbr
> package for past distributions makes Debian a very weak distribution.

IMHO, you're right. The first source of problems is not the "outside" but
the inside users (well, first of all... the super-user, who can make 
super-stupidities ;).

This problem combined with the lack of a file /etc/shutdown.allow (is this
corrected in potato ?) allow everybody, even with a running system and no
physical access to the "reset" button, to reboot the system (no
/etc/shutdown.allow -> <CTRL><ALT><DEL> for anybody), and to gain
root access.

The correction seems absolutely not out from reach, so I can't see why
this couldn't be corrected and adviced...

website : http://www.polynum.com

Reply to: