Your message dated Mon, 15 Dec 2008 00:22:39 +0100 with message-id <20081214232239.GA3171@stro.at> and subject line Re: initramfs: bail to shell on error: insecure default has caused the Debian Bug report #504043, regarding initramfs: bail to shell on error: insecure default to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 504043: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504043 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: initramfs: bail to shell on error: insecure default
- From: "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>
- Date: Thu, 30 Oct 2008 20:06:08 +0100
- Message-id: <20081030190608.GA6914@darkside.22.kls.lan>
Package: initramfs-tools Version: 0.92l Hello, initrams created by initramfs-tools default to opening shell access to the system on errors. This is an insecure default. Errors can be induced on otherwise secured systems in many ways, like plugging in USB sticks, eSATA devices, entering wrong passphrases, or whatever. The rest of the system tries to ensure not to give away unauthorized (root) shells by asking for passwords when entering maintenance or single user mode, etc. I know that initrams can be tweaked not to bail to a shell as a side-effect of setting the panic= kernel parameter. However, users have to explicitely choose this secure way. A cleaner approach w.r.t. secure defaults, IMHO, would be to let users choose the insecure way by setting a `bailtoshell' parameter or something like that (probably at the kernel commandline to allow emergency intervention). I'm not sure about the severity of this bug report, so I leave that up to you. regards Mario -- > As Luke Leighton said once on samba-ntdom, "now, what was that about > rebooting? that was so long ago, i had to look it up with man -k."Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 504043-done@bugs.debian.org
- Subject: Re: initramfs: bail to shell on error: insecure default
- From: maximilian attems <max@stro.at>
- Date: Mon, 15 Dec 2008 00:22:39 +0100
- Message-id: <20081214232239.GA3171@stro.at>
yes we try to be user friendly. the bailout does not happen in usual conditions. see longer postings in d-kernel and use panic if you don't want that for a secured env. not a bug but a design decision, closing. -- maks
--- End Message ---