[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [POSSIBLE GRAVE SECURITY HOLD]

Pierre Beyssac <beyssac@enst.fr> writes:

> > Uhmm, is this not inherently obvious?  If you don't want LILO in the
> > MBR, then you have to have SOMETHING there to boot the box.  Not
> > everyone had DOS on the machine previously.
> 
> I think you understood my question perfectly, because I tend to
> assume that since you make fun of other peoples typos you must
> certainly read English quite correctly. I was talking about _THIS_
> MBR, not A MBR.

The purpose of this MBR is the same as that of any MBR.

> I obviously agree that you need a MBR. Why, of all the MBRs in the
> world, is this dangerous MBR installed instead of Lilo's MBR or
> any other secure MBR?

I don't buy that this one is "dangerous".  Like I said, it's like
calling a keyboard dangerous.

> Not a help button. A PROMINENT warning, and preferably another
> choice by default.

Which would mean that anybody without an MBR already on their system
would not get a bootable machine.  Bad idea.

> Fact: there are many systems vulnerable due to this bug. Why no
> official advisory? Does it improve system usability? Or maybe
> does it just improve _perceived_ system usability?

There is no bug.  The moment you start holding Debian responsible for
administrators that do dumb thiings or refuse to read the
documentation is the moment that common sense begins to evade your
argument.  Alas, I fear that moment is already at hand.

Debian is no more responsible for somebody that sets the root password
to an empty string than it is for somebody that doesn't read the LILO
docs on a password or doesn't read the MBR docs.  Further, as I have
pointed out, Unix, commercial or otherwise, does not ship configured by
default in a manner designed to thwart problems where hostile forces
have physical access to the machine.

I suggest that a far more reasonable solution, than installing no MBR,
is to add a mention of the MBR to the Security-HOWTO, which already
mentions things like padlocks and LILO.

-- John

-- 
John Goerzen   Linux, Unix consulting & programming   jgoerzen@complete.org |
Developer, Debian GNU/Linux (Free powerful OS upgrade)       www.debian.org |
----------------------------------------------------------------------------+
The 680,750th digit of pi is 6.
Reply to: