Re: [POSSIBLE GRAVE SECURITY HOLD]
>>"Samuel" == Samuel Tardieu <firstname.lastname@example.org> writes:
Samuel> Since apparently several Debian developers disagree on
Samuel> whether this issue is critical or not, I'd like to get input
Samuel> from other developers.
Samuel>  The default Debian installation installs a MBR in your
Samuel> disk's MBR and installs lilo on your / partition.
Samuel>  Even if you setup your BIOS so that users can't boot
Samuel> from floppy disk and if you secure lilo with a
Samuel> password, your system can still be booted from a
Huh? The default system does not prevent booting from a
floppy; you have configured your bios and lilo. Why in god's name did
you stop there, and not secure the MBR yourself?
Samuel> - press shift at boot time, and Debian's MBR will
Samuel> give you a prompt
Samuel> - then press F, and your system will boot from
Samuel> floppy disk, and you will get full root access to
Samuel> the hard disk
Yup. Great feature. Has saved my skin a couple of times.
Samuel> The point here is that:
Samuel>  An option exists to install MBR without giving access
Samuel> to the floppy, thus closing entirely this security hole
This is not a security hole, any more than not having a
password in the default LILO config is. Most installations are not
secured against not having physical security, and we should cater to
the most common case.
Any saite that requires full protection against potentially
hostile users is supposed to have sys admins who have a clue. So, we
should just document the MBR, and let the clueful sysadmins do their
job, and not make life harder for most installations.
Samuel>  No warning is given at all during the installation that this MBR
Samuel> has extra features
No warning is given during installs that LILO does not have a
password. I say add the MBR issue to the Secvurity howto, and move on.
Samuel> Given that some of us (maybe all, this is not a flame, just a
Samuel> disagrement) do believe that this is an unacceptable security
Samuel> issue for Debian, I would like to get developers opinion on
Sure. This is yet another case which is not secure enough in
some arcane situations. For the super paranoid, you have to configure
the stock Debian. What's wrong with that?
Samuel> Not fixing this in Potato and not issuing an advisory and a
Samuel> replacement mbr package for past distributions makes Debian a
Samuel> very weak distribution.
Fine. We like our weak distribution. Are you happy? Security
and ease of use have their comprmises. Obviously, Debian's compromise
does not please you. But I, for one, belong to a group who find the
status quo eminently satisfactory, and indeed, more to be desired for
the common user than your high security set up.
Leave the MBR alone.
Lewis's Law of Travel: The first piece of luggage out of the chute
doesn't belong to anyone, ever.
Manoj Srivastava <email@example.com> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C