Re: [POSSIBLE GRAVE SECURITY HOLD]

To: John Goerzen <jgoerzen@complete.org>
Cc: Pierre Beyssac <beyssac@enst.fr>, Ruud de Rooij <ruud@ruud.org>, Joseph Carter <knghtbrd@debian.org>, Martijn van Oosterhout <kleptog@cupid.suninternet.com>, Samuel Tardieu <sam@debian.org>, Adam Di Carlo <adam@onshore.com>, "Huneycutt, Doug" <doug.huneycutt@lmco.com>, 56821@bugs.debian.org, pb@enst.fr, quinot@enst.fr, debian-devel@lists.debian.org
Subject: Re: [POSSIBLE GRAVE SECURITY HOLD]
From: Thierry Laronde <thierry.laronde@polynum.com>
Date: Wed, 2 Feb 2000 18:03:20 +0100
Message-id: <20000202180320.A772@polynum.com>
In-reply-to: <87n1pjk3md.fsf@erwin.complete.org>; from John Goerzen on Wed, Feb 02, 2000 at 09:47:54AM -0600
References: <2000-02-02-11-38-12+trackit+sam@debian.org> <389823E6.37B56639@cupid.suninternet.com> <20000202045337.A10828@debian.org> <87og9zd9wx.fsf@hobbes.home.ruud.org> <20000202145212.S99806@enst.fr> <87n1pjk3md.fsf@erwin.complete.org>

On Wed, Feb 02, 2000 at 09:47:54AM -0600, John Goerzen wrote:
> Pierre Beyssac <beyssac@enst.fr> writes:
> 
> > You miss the point. That this can be fixed by configuration doesn't
> > mean it's not a security hole in the first place.
> > 
> > The security hole is that the console is made insecure by default
> > without any warning from the installation program. That, in itself,
> > would warrant a security advisory.
> 
> The console is automatically insecure.  What led you to believe
> otherwise?

Specially when, like in slink, the lack of a file /etc/shutdown.allow allows
anybody to reboot...

> 
> > On the other hand, nobody knows that you ALSO have to edit the
> > boot= line in lilo.conf to remove the dangerous MBR.
> 
> Do people also know that you have to padlock your computer's case
> shut?  That you have to password-protect the BIOS?  That you have to
> password-protect LILO?  None of these have an obvious prompt, and on
> some computers may require physical case modifications.

All that you have cited are *NOT* operating system issues. The BIOS is not
Debian, the hardware is not Debian, etc...

What is asked for is, at least, *DOCUMENTATION*.

Let me remind... I have read that somewhere... Perhaps you can tell :

"WE WON'T HIDE PROBLEMS"

-- 
Thierry LARONDE
thierry.laronde@polynum.com
website : http://www.polynum.com

Reply to:

Follow-Ups:
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: John Goerzen <jgoerzen@complete.org>

References:
- [POSSIBLE GRAVE SECURITY HOLD]
  - From: Samuel Tardieu <sam@debian.org>
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Martijn van Oosterhout <kleptog@cupid.suninternet.com>
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Joseph Carter <knghtbrd@debian.org>
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: ruud@ruud.org (Ruud de Rooij)
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Pierre Beyssac <beyssac@enst.fr>
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: Re: [POSSIBLE GRAVE SECURITY HOLD]
Next by Date: Re: [POSSIBLE GRAVE SECURITY HOLD]
Previous by thread: Re: [POSSIBLE GRAVE SECURITY HOLD]
Next by thread: Re: [POSSIBLE GRAVE SECURITY HOLD]
Index(es):
- Date
- Thread