Re: [POSSIBLE GRAVE SECURITY HOLD]

[Raul Miller <moth@debian.org>]

On Wed, Feb 02, 2000 at 06:30:15PM -0600, Adam Di Carlo wrote:
> So ... um....  what we've ended up doing, which I'm not sure is the
> right thing, is to inhibit the prompt entirely unless there's an
> error.

That is the right solution for the people that want a secure
shared environment.  However, it's the wrong solution for the
general case.

Basically, the boot prompt is a way of taking control of the
machine and making it do what you need it to do.  In removing
the prompt you prevent the user from controlling their machine.

In the case of a student environment -- where you want to prevent
them from booting up with a new operating system, and where there's
no reason to ever adapt to new hardware, it's perfectly reasonable
to disable the boot prompt.

After all, with a boot prompt, the student could get root access using
init=/bin/sh  [Oh, wait, then that would be "grave" a bug in lilo..]

For most people the capability to boot the system after it's been hosed is
a valuable thing.  (Perhaps with init=/bin/sash if some shared libraries
have been damaged -- or perhaps off some alternate media, or perhaps with
some hardware specific parameter to work around a driver problem, or ...)

For the typical case where the person installing debian will be its
primary user, the boot prompt is a valuable tool to be used in making
the machine work properly.

-- 
Raul