COMMAND

    MBR

SYSTEMS AFFECTED

    Debian Linux

PROBLEM

    Pierre Beyssac found  following.  The  recent stable releases  (at
    least  2.0,  2.1  and  soon-to-be-released  2.2 -- Hamm, Slink and
    Potato) of the Debian Linux  distributions use a dangerous MBR  in
    their default installation.

    When the SHIFT key is  pressed during the boot, the  installed MBR
    displays the  string "1FA:"  then waits  for a  keypress.  It then
    boots a  floppy if  the F  key is  pressed, bypassing any security
    measures.

    This happens:

        - regardless of the BIOS configuration (even with floppy  boot
          disabled and password-protected configuration).
        - regardless  of Lilo  (or other)  configuration: this happens
          before Lilo is even started,  so putting a password on  Lilo
          is of no use.

    Since this  MBR is  installed by  default during  the installation
    (unless the user  chooses to keep  the previous MBR,  which is not
    the natural choice  for an installation  from scratch, and  is not
    the default  choice anyway),  many sites  are probably  vulnerable
    even though they have taken  the usual steps to prevent  tampering
    with the boot process.

SOLUTION

    Quick  fix:  use  Lilo's   MBR  by  putting  "boot=/dev/hda"   (or
    equivalent) instead of "boot=/dev/hda1" in your Lilo configuration
    to install a barebones MBR.

    Note: this  has been  registered as  Debian bug  ID 56821, but has
    just been downgraded as a  mere "wishlist" item, so clearly  it is
    not given the attention it deserves.

    Discussion  on  Debian's  list  brough  following.   To sum up the
    discussion:

    a) The boot  floppies were changed  after this for  potato to make
       sure  the  user  knows  about  the  default setup (the MBR that
       allows booting from floppy).

    b) The vast majority of  systems do not require physical  security
       in this manner, and  the benefits for rescueing  failed systems
       using this feature outweighs the downside of the "issue".

    c) It is felt  that an admin who  is first of all  smart enough to
       setup the BIOS  and LILO to  disable floppy booting,  and is in
       dire  need  enough  to  want  this,  should also be intelligent
       enough to know that  the MBR is part  of the boot process,  and
       thus they should expect to make changes there aswell.

    d) Given that 99.9% of  computer systems are setup to  not disable
       floppy booting  (forsaking the  obviously biased  percentage of
       people on this list who do have it disabled), that it is not  a
       problem to also have this as the default.

    e)  Anyone  who  wants  true  physical  security will use physical
       measures to assure it.  This means locked cases,  locked racks,
       removing the  floppy alltogether.  Thus the  MBR plays  a minor
       role in this type of security.

    f) RTFM.  The mbr  program docs,  and the  LILO docs explain about
       the MBR and security  concerns dealing with it.  Even disabling
       the  floppy  does  not  assure  physical  security  in a public
       manner  (such  as  the  machines  that  the  original poster is
       using...eg.  publically accesable terminals).