[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [POSSIBLE GRAVE SECURITY HOLD]

On 2 Feb 2000, John Goerzen wrote:

> It is NOT an insecure default.  It is being used in an insecure way.

Not in your limited field of view, but in the greater picture, it
obviously is. I have said before, the majority of Debian users are not
going to be effected by it. Still means it has to be fixed one way or the
other. What's the big deal of asking people during the installation if
they want this feature disabled? I get bothered by the
pcmcia-deinstall-question with every install too, and I think it's safe
that only a tiny fraction of debian systems have any use for pcmcia. ;)

So one more question wont hurt, will it?

> We install LILO without a password by default.  Do you claim that's
> insecure?  If so, do you really think using a bootup password for LILO
> is appropriate, given that this would break needs for servers?  If
> not, what's so different about this?


I never bothered to check into lilo that much, the Debian users 
here all have the root password anyway. But, obviously if it is not
possible to prevent lilo from booting from floppy/an arbitrary
drive/partition, that needs to be fixed too. Let's face it, there are
cases where you will not want your users to have a chance to alter the
boot sequence. ;-)

In my eyes, anything that makes Linux/Debian more useful/better suited for
a wide array of tasks, is worth considering.
Reply to: