Re: [POSSIBLE GRAVE SECURITY HOLD]
On Wed, Feb 02, 2000 at 11:38:12AM +0100, Samuel Tardieu wrote:
> Since apparently several Debian developers disagree on whether this issue
> is critical or not, I'd like to get input from other developers.
>
> [1] The default Debian installation installs a MBR in your disk's MBR and
> installs lilo on your / partition.
>
> [2] Even if you setup your BIOS so that users can't boot from floppy disk
> and if you secure lilo with a password, your system can still be booted
> from a floppy:
> - press shift at boot time, and Debian's MBR will give you a prompt
> 1FA:
> - then press F, and your system will boot from floppy disk, and you
> will get full root access to the hard disk
>
> The point here is that:
>
> [1] An option exists to install MBR without giving access to the floppy,
> thus closing entirely this security hole
>
> [2] No warning is given at all during the installation that this MBR
> has extra features
>
> Given that some of us (maybe all, this is not a flame, just a disagrement)
> do believe that this is an unacceptable security issue for Debian, I would
> like to get developers opinion on this.
>
> Not fixing this in Potato and not issuing an advisory and a replacement mbr
> package for past distributions makes Debian a very weak distribution.
IMHO, you're right. The first source of problems is not the "outside" but
the inside users (well, first of all... the super-user, who can make
super-stupidities ;).
This problem combined with the lack of a file /etc/shutdown.allow (is this
corrected in potato ?) allow everybody, even with a running system and no
physical access to the "reset" button, to reboot the system (no
/etc/shutdown.allow -> <CTRL><ALT><DEL> for anybody), and to gain
root access.
The correction seems absolutely not out from reach, so I can't see why
this couldn't be corrected and adviced...
Cheers,
--
Thierry LARONDE
thierry.laronde@polynum.com
website : http://www.polynum.com
Reply to: