This is #56821 in the BTS. ----- Forwarded message from Thomas Quinot <thomas@cuivre.fr.eu.org> ----- From: Thomas Quinot <thomas@cuivre.fr.eu.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: Important security hole: mbr allows anyone to boot from a floppy. X-Reportbug-Version: 0.48 X-Mailer: reportbug 0.48 Date: Tue, 01 Feb 2000 19:29:48 +0100 Package: boot-floppies Version: 2.2.5 Severity: critical During installation, boot-floppies set up a MBR using /sbin/install-mbr. The installed mbr allows user to boot from a floppy by pressing any key, then typing "F" at the prompt. Any password protection or boot restriction defined in lilo.conf can thus be bypassed. There should be prominent warnings in the installation procedure to inform administrators that choosing the default choice for MBR installation (which is to use /sbin/install-mbr) grants root privileges to all users with access to the console. This is a very serious security problems; several machines at this site have been compromised at this site because of it. This report is therefore graded "critical" and will be forwarded to debian-security. -- System Information Debian Release: potato Architecture: i386 Kernel: Linux melchior 2.2.13 #1 mer nov 3 16:09:02 CET 1999 i586 ----- End forwarded message ----- -- Thomas.Quinot@Cuivre.FR.EU.ORG
Attachment:
pgppYRRefsjJT.pgp
Description: PGP signature