[POSSIBLE GRAVE SECURITY HOLD]

To: Adam Di Carlo <adam@onshore.com>
Cc: "Huneycutt, Doug" <doug.huneycutt@lmco.com>, 56821@bugs.debian.org, pb@enst.fr, quinot@enst.fr, debian-devel@lists.debian.org
Subject: [POSSIBLE GRAVE SECURITY HOLD]
From: Samuel Tardieu <sam@debian.org>
Date: Wed, 2 Feb 2000 11:38:12 +0100
Message-id: <2000-02-02-11-38-12+trackit+sam@debian.org>
Reply-to: Samuel Tardieu <sam@debian.org>

Since apparently several Debian developers disagree on whether this issue
is critical or not, I'd like to get input from other developers.

  [1] The default Debian installation installs a MBR in your disk's MBR and
      installs lilo on your / partition.

  [2] Even if you setup your BIOS so that users can't boot from floppy disk
      and if you secure lilo with a password, your system can still be booted
      from a floppy:
         - press shift at boot time, and Debian's MBR will give you a prompt
           1FA:
         - then press F, and your system will boot from floppy disk, and you
           will get full root access to the hard disk

The point here is that:

  [1] An option exists to install MBR without giving access to the floppy,
      thus closing entirely this security hole

  [2] No warning is given at all during the installation that this MBR
      has extra features

Given that some of us (maybe all, this is not a flame, just a disagrement)
do believe that this is an unacceptable security issue for Debian, I would
like to get developers opinion on this.

Not fixing this in Potato and not issuing an advisory and a replacement mbr
package for past distributions makes Debian a very weak distribution.

To take an analogy, what if your distribution installs a root shell freely
available on virtual console F9 (so that it won't be easily noticed) without
warning the system administrator by default?

  Sam

PS/ in Pierre's case, machines were physically secured with anti-theft cables
    and monitored by video cameras, so compromising the hardware is much harder
    than pressing shift then F at boot time to gain root access

Adam Di Carlo wrote, in the BTS (bug #56821):

| I agree with Ben's assessment.  I do not believe that the default way
| boot-folopppies ships, that is, with flopppy booting enabled, is
| incorrect, although I do recognize that some may wish it was not so.
| 
| In accordandce with that wish, I have retitled and changed the
| severity of this bug.  It should be possible to skip mbr and install
| lilo directly, disabling floppy booting (what in lilo.conf would have
| to be changed?).
| 
| I do not believe this is release critical, however.  Moreover, I can't
| wait until woody when hopefully we'll all be using 'grub', which
| hopefully will be easier for us (boot-floppies maintainers) to work
| with.

Attachment: pgp6pYHx5vOT5.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Martijn van Oosterhout <kleptog@cupid.suninternet.com>
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: John Goerzen <jgoerzen@complete.org>
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Thierry Laronde <thierry.laronde@polynum.com>
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Michael Meskes <meskes@debian.org>
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: Just discovered big bug!
Next by Date: RE: Debian for kids
Previous by thread: Re: Just discovered big bug!
Next by thread: Re: [POSSIBLE GRAVE SECURITY HOLD]
Index(es):
- Date
- Thread