Re: [POSSIBLE GRAVE SECURITY HOLD]
On Wed, Feb 02, 2000 at 08:48:58PM -0600, Manoj Srivastava wrote:
> Any saite that requires full protection against potentially
> hostile users is supposed to have sys admins who have a clue. So, we
> should just document the MBR, and let the clueful sysadmins do their
> job, and not make life harder for most installations.
> Samuel>  No warning is given at all during the installation that this MBR
> Samuel> has extra features
> No warning is given during installs that LILO does not have a
> password. I say add the MBR issue to the Secvurity howto, and move on.
I don't quite understand why we are still "fighting", every body seem to
agree that there is some lack of documentation. And that's all.
For an `amateur', or a non-wizard sysadmin, the MBR is obviously something
with the same features as others MBR, or, possibly, something related to
LILO. If I hardly discovered the documentation about the mbr, I thought
this was redondant with the LILO documentation.
I have discovered two things linked with this thread :
- Debian's MBR is something special with, possibly, very interesting
features : that something that seems powerful;
- but as anything powerful, that can introduce security holes if you are
not aware of, in some special cases (you must allow rebooting or booting,
so you can't put the password in the setup, but you must control the boot
The default used by Debian is an extra discussion. There is no problem if
it is made obvious that there are special features that must be known.
So like a lot of people have said, just make a warning :"Be careful : the
MBR installed has some extra features that make it powerful, but then
possibly dangerous if misconfigured. Please DO read the documentation here
And IMHO that will be enough...
The worst in this case is not the security hole (yes, indeed, in some special
cases but this remains one). The worst is that I have something possibly
useful, and I don't know...
Thierry LARONDE <firstname.lastname@example.org>
website : http://www.polynum.com
/home du SDF (Site Debian Francophone) : http://www.polynum.com/debian