Re: [POSSIBLE GRAVE SECURITY HOLD]

To: Joey Hess <joeyh@debian.org>
Cc: quinot@infres.enst.fr, 56821@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: [POSSIBLE GRAVE SECURITY HOLD]
From: Mark Lundeberg <aa026@pgfn.bc.ca>
Date: Wed, 2 Feb 2000 15:29:21 -0800
Message-id: <Pine.LNX.3.95.iB1.0.1000202151254.16319A-100000@strider.pgfn.bc.ca>
Reply-to: Mark Lundeberg <aa026@pgfn.bc.ca>
In-reply-to: <20000202121224.A23032@kitenet.net>

On -1 xxx -1, Joey Hess wrote:

> Again, why should mbr be held to a different standard than lilo? You say
> it's undocumented, but see /usr/doc/mbr/README:
> 
>    The boot prompt looks something like this:
> 
>    14FA:
> 
>    This is the list of valid keys which may be pressed.  This means that
>    partitions 1, and 4 can be booted, also the first floppy drive (F).  The
>    A means that 'advanced' mode may be entered, in which any partition may
>    be booted.

If you REALLY need this feature disabled, just do this:

install-mbr -e -f -e -a
<Disable F and A>

-or this-

install-mbr -i n
<Disable prompt altogether>

-or even this-

lilo -b /dev/hda
<Put LILO into MBR>
<You could also modify /etc/lilo.conf so boot=/dev/hda>

I recommend that this "bug" be in Security-HOWTO, which should be read by
_EVERYONE_ who wants a secure box. (Putting a message in the install
script for mbr doesn't help as it would zip by so fast). It is an
excellent default behaviour to allow F and A, though. Some people
may depend on it being there in an emergency.

Personally, I just have LILO on my MBR, and have a password-protected
floppy option. I plan to switch to GNU GRUB soon, though.

Reply to:

References:
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: [POSSIBLE GRAVE SECURITY HOLD]
Next by Date: Re: [POSSIBLE GRAVE SECURITY HOLD]
Previous by thread: Re: [POSSIBLE GRAVE SECURITY HOLD]
Next by thread: Re: [POSSIBLE GRAVE SECURITY HOLD]
Index(es):
- Date
- Thread