Bugtraq mailing list archives
Re: vulnerability in Linux Debian default boot configuration
From: bcollins () DEBIAN ORG (Ben Collins)
Date: Thu, 3 Feb 2000 13:37:46 -0500
Just a quick comment. This was discussed (if you call a flame fest a discussion) to a great extent on Debian's list. To sum up the discussion: a) The boot floppies were changed after this for potato to make sure the user knows about the default setup (the MBR that allows booting from floppy). b) The vast majority of systems do not require physical security in this manner, and the benefits for rescueing failed systems using this feature outweighs the downside of the "issue". c) It is felt that an admin who is first of all smart enough to setup the BIOS and LILO to disable floppy booting, and is in dire need enough to want this, should also be intelligent enough to know that the MBR is part of the boot process, and thus they should expect to make changes there aswell. d) Given that 99.9% of computer systems are setup to not disable floppy booting (forsaking the obviously biased percentage of people on this list who do have it disabled), that it is not a problem to also have this as the default. e) Anyone who wants true physical security will use physical measures to assure it. This means locked cases, locked racks, removing the floppy alltogether. Thus the MBR plays a minor role in this type of security. f) RTFM. The mbr program docs, and the LILO docs explain about the MBR and security concerns dealing with it. Even disabling the floppy does not assure physical security in a public manner (such as the machines that the original poster is using...eg. publically accesable terminals). Thanks, Ben PS: I am not subscribed to BUGTRAQ at the moment, so please Cc questions. concerns. -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` bcollins () debian org -- bcollins () openldap org -- bmc () visi net ' `---=========------=======-------------=-=-----=-===-======-------=--=---' <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: vulnerability in Linux Debian default boot configuration Pierre Beyssac (Feb 03)
- <Possible follow-ups>
- Re: vulnerability in Linux Debian default boot configuration Ben Collins (Feb 03)