Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: vulnerability in Linux Debian default boot configuration

From: beyssac () ENST FR (Pierre Beyssac)
Date: Thu, 3 Feb 2000 14:52:16 +0100

On Thu, Feb 03, 2000 at 07:48:52AM -0500, Brian Almeida wrote:

A 100+ message flamewar on debian-devel () lists debian org isn't enough
'attention' for you, is it.  It has been thoroughly discussed there.  I invite


Except it happened the other way around: the flame war came just
after I wrote the post to Bugtraq. Check the date; I wrote it soon
after I got noticed that the priority of the bug report was
downgraded.


anyone who wants to read the list archives (available on www.debian.org).
In any case, it has been resolved.


Granted. But not with the resolution description you forwarded
("disables the floppy option from the first mbr prompt") : it was
not enough of a fix because it still allowed the "A" menu.

The final fix, which I tend to agree with, is to disable by default
the "extended features" of this MBR:

To: 56821-done () bugs debian org
Subject: Boot floppies 2.2.6 has been uploaded. (Was: Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD])
Message-ID: <87u2jqizug.fsf_-_@bittersweet.intra>

 Boot floppies 2.2.6 has been uploaded.

 Starting with this version of `boot-floppies', `install-mbr' is run
 with `--interrupt n', so that it is not interruptable during boot;
 that is, holding shift will NOT display the MBR menu; it should
 behave just like a standard MBR.  At local option, that functionality
 may be enabled by the system administrator, via the `install-mbr'
 command.

 You will find that `install-mbr --help' displays the following:

 Usage: install-mbr [options] <target>
 Options:
   -f, --force                       Override some sanity checks.
   -I <path>, --install <path>       Install code from the specified file.
   -k, --keep                        Keep the current code in the MBR.
   -l, --list                        Just list the parameters.
   -n, --no-act                      Don't install anything.
   -o <offset>, --offset <offset>    Install the MBR at byte offset <offset>.
   -P <path>, --parameters <path>    Get parameters from <path>.
   -r, --reset                       Reset the parameters to the default state.
   -T <path>, --table <path>         Get partition table from <path>.
   -v, --verbose                     Operate verbosely.
   -V, --version                     Show version.
   -h, --help                        Display this message.
 Parameters:
   -d <drive>, --drive <drive>       Set BIOS drive number.
   -e <option>, --enable <option>    Select enabled boot option.
   -i <mode>, --interrupt <keys>     Set interrupt mode. (a/c/s/cs/n)
   -p <partn>, --partition <partn>   Set boot partition (0=whole disk).
   -t <timeout>, --timeout <timeout> Set the timeout in 1/18 second.
 Interrupt modes:
   's'=Interrupt if shift or ctrl is pressed.
   'k'=Interrupt if other key pressed.
   'a'=Interrupt always.
   'n'=Interrupt never.
 Boot options:
   '1','2','3' or '4' - Partition 1,2,3 or 4.
   'F' - 1st floppy drive.
   'A' - Advanced mode.
 Report bugs to neilt () chiark greenend org uk

 From `dbootstrap' (the familiar Debian installer program on the
 rescue floppy) right after opting to install `mbr', a message dialog
 will be displayed (unless the "quiet" bootarg was given) with the
 following to say:

----------------------------------------------------------------------

            Important Information about the installed MBR

   The master boot record program that was just installed supports
   several advanced options that have not been enabled by default.
   The installed configuration will cause it to behave just like a
   standard MBR.  For information about the advanced features
   supported by the mbr, please read the 'install-mbr' manual page.

----------------------------------------------------------------------

 I have verified that the `install-mbr' man page is installed with the
 base system.  It will be available for reading after the standard
 `man-db' setup is in place.

 We hope that this will be sufficient grounds for closing bug #56821.

 Karl M. Hegbloom <karlheg () debian org>, on behalf of the `debian-boot'
 team.

 PS.
  It has been brought up that _perhaps_ for `woody', an `mbr' and
  `lilo' configuration widget can be added to `dbootstrap', allowing
  one to enable and configure the advanced `mbr' functionality, and
  even Lilo/Grub password access control features during installation.

--
Pierre Beyssac          pb () enst fr
Previous By Date Next
Previous By Thread Next

Current thread: