Re: [POSSIBLE GRAVE SECURITY HOLD]
On Wed, 2 Feb 2000, Martijn van Oosterhout wrote:
>Samuel Tardieu wrote:
>>
>> Since apparently several Debian developers disagree on whether this issue
>> is critical or not, I'd like to get input from other developers.
>>
>> [1] The default Debian installation installs a MBR in your disk's MBR and
>> installs lilo on your / partition.
>>
>> [2] Even if you setup your BIOS so that users can't boot from floppy disk
>> and if you secure lilo with a password, your system can still be booted
>> from a floppy:
>> - press shift at boot time, and Debian's MBR will give you a prompt
>> 1FA:
>> - then press F, and your system will boot from floppy disk, and you
>> will get full root access to the hard disk
If you're that paranoid about someone booting from a floppy you shouldn't
have a floppy drive in the machine. force the cracker to open the machine
and install one. maybe "rm /dev/fd*" would do it. If someone can do this
without you noticing then they can probably take the hdd out or steal the
whole machine.
>> To take an analogy, what if your distribution installs a root shell
>freely
>> available on virtual console F9 (so that it won't be easily noticed)
>without
>> warning the system administrator by default?
this is hardly an analogy. any novice logged into the machine from
anywhere can see a shell running on tty9 from ps and wonder whats going
on.
>OTOH, if you have physical access to the machine is there really any
>security?
nope.
Reply to: