Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]

To: debian-devel@lists.debian.org
Subject: Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]
From: Nathaniel Smith <njs@njs.dhis.net>
Date: Thu, 3 Feb 2000 00:23:51 -0800
Message-id: <20000203002351.A22478@njs.dhis.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: njs@uclink4.berkeley.edu
In-reply-to: <200002030030.SAA00851@cafe.onshore.com>; from adam@onshore.com on Wed, Feb 02, 2000 at 06:30:15PM -0600
References: <87vh47i28b.fsf@erwin.complete.org> <200002030030.SAA00851@cafe.onshore.com>

On Wed, Feb 02, 2000 at 06:30:15PM -0600, Adam Di Carlo wrote:
> 
> So ... um....  what we've ended up doing, which I'm not sure is the
> right thing, is to inhibit the prompt entirely unless there's an
> error.
> 
> I'm not sure if that is the right thing to do, or whether it'd be more
> right to simply disable floppy and advanced mode.
> 
> Please advise.  Please do not flame.  Less than 3 posts on this topic
> per hour per person please. :)

Personal use case: I switched to grub a while back, but had some trouble
while getting things installed with it not booting.  Fortunately, because
of the debian MBR, I was able to instead boot my other, lilo-using rescue
partition and fix things up.  Other people have mentioned problems with
their bios booting from floppy, and using lilo as an mbr has serious
deficiencies -- for example, if ones default root partition becomes
corrupted, or if you just get sticky fingers and delete the wrong file,
then your machine becomes unbootable without the aid of a floppy, when
if one was using the current default mbr, it would be quite easy to
instead boot to a backup root partition (these things come in handy all
the time) or another OS to fix things, or to seek information on fixing
things.  I do not believe that the rescue disk can boot to Windows to
allow inexperienced users to search the web for information to fix their
problem.  Additionally, judging from the messages on this list, there
are far more people who like the current default than dislike it.  And
it doesn't make a lot of sense to lock down the mbr by default when we
do not lock down lilo, the bios or anything else.

At the same time, about once a week someone pops into #debian to ask
about that funny line-noice 1FA: prompt that they get on boot-up; there's
a lot of ignorance about this.

Given all of the above, I would recommend that:
1) The mbr be documented in the security howto and other such standard
   places -- someone should email the maintainer of said document?
2) That liloconfig, when asking whether to install lilo to the mbr,
   explicitly state that if it is not installed, then an alternate mbr
   which allows for anyone with console access to boot off of floppy
   will be installed, and give a reference to where more info can be
   found.  I think one explicit mention during the install is enough.
3) It doesn't make a lot of sense to me to use install-mbr -e -f-a,
   or install-mbr -i n, simply because I'm not sure that there's any
   effective difference between those and just installing lilo to the
   mbr.  But if people do want to be able to have the install set
   things up that way, then there should be a lowish priority question
   in base-config (is that possible?  how do liloconfig and base-config
   interact?), defaulting to the current configuration.  Really, though,
   almost anyone who would want to change the default is a special case,
   and should probably be expected to take care of it themselves once
   it's well documented.

-- Nathaniel

Reply to:

References:
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: John Goerzen <jgoerzen@complete.org>
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Adam Di Carlo <adam@onshore.com>

Prev by Date: Re: Can somebody tell me if lpr+samba works?
Next by Date: Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD]
Previous by thread: Re: [POSSIBLE GRAVE SECURITY HOLD]
Next by thread: Re: [POSSIBLE GRAVE SECURITY HOLD]
Index(es):
- Date
- Thread