Re: vulnerability in Linux Debian default boot configuration

From: Pierre Beyssac (beyssacat_private)
Date: Thu Feb 03 2000 - 05:52:16 PST

  • Next message: Jarle Aase: "Re: war-ftpd 1.6x DoS"

    On Thu, Feb 03, 2000 at 07:48:52AM -0500, Brian Almeida wrote:
    > A 100+ message flamewar on debian-develat_private isn't enough
    > 'attention' for you, is it.  It has been thoroughly discussed there.  I invite
    
    Except it happened the other way around: the flame war came just
    after I wrote the post to Bugtraq. Check the date; I wrote it soon
    after I got noticed that the priority of the bug report was
    downgraded.
    
    > anyone who wants to read the list archives (available on www.debian.org).
    > In any case, it has been resolved.
    
    Granted. But not with the resolution description you forwarded
    ("disables the floppy option from the first mbr prompt") : it was
    not enough of a fix because it still allowed the "A" menu.
    
    The final fix, which I tend to agree with, is to disable by default
    the "extended features" of this MBR:
    
    To: 56821-doneat_private
    Subject: Boot floppies 2.2.6 has been uploaded. (Was: Re: Bug#56821: [POSSIBLE GRAVE SECURITY HOLD])
    Message-ID: <87u2jqizug.fsf_-_at_private>
    
    
     Boot floppies 2.2.6 has been uploaded.
    
     Starting with this version of `boot-floppies', `install-mbr' is run
     with `--interrupt n', so that it is not interruptable during boot;
     that is, holding shift will NOT display the MBR menu; it should
     behave just like a standard MBR.  At local option, that functionality
     may be enabled by the system administrator, via the `install-mbr'
     command.
    
     You will find that `install-mbr --help' displays the following:
    
     Usage: install-mbr [options] <target>
     Options:
       -f, --force                       Override some sanity checks.
       -I <path>, --install <path>       Install code from the specified file.
       -k, --keep                        Keep the current code in the MBR.
       -l, --list                        Just list the parameters.
       -n, --no-act                      Don't install anything.
       -o <offset>, --offset <offset>    Install the MBR at byte offset <offset>.
       -P <path>, --parameters <path>    Get parameters from <path>.
       -r, --reset                       Reset the parameters to the default state.
       -T <path>, --table <path>         Get partition table from <path>.
       -v, --verbose                     Operate verbosely.
       -V, --version                     Show version.
       -h, --help                        Display this message.
     Parameters:
       -d <drive>, --drive <drive>       Set BIOS drive number.
       -e <option>, --enable <option>    Select enabled boot option.
       -i <mode>, --interrupt <keys>     Set interrupt mode. (a/c/s/cs/n)
       -p <partn>, --partition <partn>   Set boot partition (0=whole disk).
       -t <timeout>, --timeout <timeout> Set the timeout in 1/18 second.
     Interrupt modes:
       's'=Interrupt if shift or ctrl is pressed.
       'k'=Interrupt if other key pressed.
       'a'=Interrupt always.
       'n'=Interrupt never.
     Boot options:
       '1','2','3' or '4' - Partition 1,2,3 or 4.
       'F' - 1st floppy drive.
       'A' - Advanced mode.
     Report bugs to neiltat_private
    
    
     From `dbootstrap' (the familiar Debian installer program on the
     rescue floppy) right after opting to install `mbr', a message dialog
     will be displayed (unless the "quiet" bootarg was given) with the
     following to say:
    
    ----------------------------------------------------------------------
    
    	    Important Information about the installed MBR
    
       The master boot record program that was just installed supports
       several advanced options that have not been enabled by default.
       The installed configuration will cause it to behave just like a
       standard MBR.  For information about the advanced features
       supported by the mbr, please read the 'install-mbr' manual page.
    
    ----------------------------------------------------------------------
    
     I have verified that the `install-mbr' man page is installed with the
     base system.  It will be available for reading after the standard
     `man-db' setup is in place.
    
     We hope that this will be sufficient grounds for closing bug #56821.
    
    
     Karl M. Hegbloom <karlhegat_private>, on behalf of the `debian-boot'
     team.
    
     PS.
      It has been brought up that _perhaps_ for `woody', an `mbr' and
      `lilo' configuration widget can be added to `dbootstrap', allowing
      one to enable and configure the advanced `mbr' functionality, and
      even Lilo/Grub password access control features during installation.
    
    --
    Pierre Beyssac		pbat_private
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:11 PDT