Re: [POSSIBLE GRAVE SECURITY HOLD]
- To: John Goerzen <firstname.lastname@example.org>
- Cc: Pierre Beyssac <email@example.com>, Ruud de Rooij <firstname.lastname@example.org>, Joseph Carter <email@example.com>, Martijn van Oosterhout <firstname.lastname@example.org>, Samuel Tardieu <email@example.com>, Adam Di Carlo <firstname.lastname@example.org>, "Huneycutt, Doug" <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com
- Subject: Re: [POSSIBLE GRAVE SECURITY HOLD]
- From: Thierry Laronde <firstname.lastname@example.org>
- Date: Wed, 2 Feb 2000 18:03:20 +0100
- Message-id: <20000202180320.A772@polynum.com>
- In-reply-to: <email@example.com>; from John Goerzen on Wed, Feb 02, 2000 at 09:47:54AM -0600
- References: <firstname.lastname@example.org> <389823E6.37B56639@cupid.suninternet.com> <20000202045337.A10828@debian.org> <email@example.com> <20000202145212.S99806@enst.fr> <firstname.lastname@example.org>
On Wed, Feb 02, 2000 at 09:47:54AM -0600, John Goerzen wrote:
> Pierre Beyssac <email@example.com> writes:
> > You miss the point. That this can be fixed by configuration doesn't
> > mean it's not a security hole in the first place.
> > The security hole is that the console is made insecure by default
> > without any warning from the installation program. That, in itself,
> > would warrant a security advisory.
> The console is automatically insecure. What led you to believe
Specially when, like in slink, the lack of a file /etc/shutdown.allow allows
anybody to reboot...
> > On the other hand, nobody knows that you ALSO have to edit the
> > boot= line in lilo.conf to remove the dangerous MBR.
> Do people also know that you have to padlock your computer's case
> shut? That you have to password-protect the BIOS? That you have to
> password-protect LILO? None of these have an obvious prompt, and on
> some computers may require physical case modifications.
All that you have cited are *NOT* operating system issues. The BIOS is not
Debian, the hardware is not Debian, etc...
What is asked for is, at least, *DOCUMENTATION*.
Let me remind... I have read that somewhere... Perhaps you can tell :
"WE WON'T HIDE PROBLEMS"
website : http://www.polynum.com