Linux Single Hole
I am sort of new to linux but have noticed something disturbing about it.
In a few of the manuals I have read they cover the "what if root password is lost" question. THe answer some give is to just simply re-install linux. But one said to try typing "linux single" at the lilo/grub prompt.
I tried this and was able to type passwd root and change the root password.
Is there a way to disable this? If not what happens if someone get in front of a major linux driven network computer and decides as a joke they will just change the root password?
Now you have me curious :D
What manual said to do that?
This is probably just a distribution-specific thing. Obviously some distributions like Corel and/or Mandrake probably have something like that for those that forget passwords. What distribution did you try this on?
if you use LILO
If you are using LILO to boot, you can change the LILO conf to password protect the "linux single" boot option. Do a search for:
linux howto lilo
I can't remember how to do it, myself, but if you can't find it there, I will post it here when I look it up in my documentation at home. Good luck.
That's actually not really a hole.....
Y'see, most Linux security is concerned with network-specific applications--i.e, sendmail, apache, telnet....
The physical security of the system--because the only way to put Linux in single-user mode (Runlevel 1, as I recall....) is to be at the console--is the sysadmin's problem. Any OS is insecure if you let someone at the physical system, because then, it becomes a hardware issue.
Keep in mind, also, that you want to make lilo.conf not readable to anyone if you have a password set. The password in lilo.conf is not encrypted in any way, shape, or form--thus, anyone who can read it will know what it is.
The only truly secure system is one which is sealed in a lead box at the bottom of a deep ocean trench, with the power off. And even that one can be comprimised..... ;-)
what manual was it?
I found it in a Mandrake 7.2 manual, but I have also heard a few Slackware users say it worked on their boxes.
I didnt think that it could be "prohibited" but I was just woundering if there was a fix for it.
Thanks for the help. Keep posting here if you find anything that may help.
There are two parameters you can use to protect LILO.
To use these you need to edit your /etc/lilo.conf file.
To restrict all images with one password:
put password=<password> in the global section
To restrict individual images with different passwords:
put password=<password> under each image section
To restrict passing parameters to LILO (ie "linux single"):
put password=<password> at top AND place restricted under
image sections you DON'T want to restrict being passed in.
This is what my lilo.conf file looks like:
# Start LILO global section
boot = /dev/hda
message = /boot/boot_message.txt
password=somepassword # sets the global password to somepassword
timeout = 1200
vga = normal
# End LILO global section
# Linux bootable partition config begins
image = /vmlinuz
restricted # lets me pass this in at the LILO prompt without being asked
# for a password
root = /dev/hda2
label = linux
# Linux bootable partition config ends
Notice the two sections commented. I can just hit enter at the lilo prompt, or i can pass in "linux" and it will boot normally without bugging me for a password. However, if I type "linux single" at the prompt, it requests the password.
Don't forget to run the lilo command after making changes to your lilo.conf file so the new changes will be added. Also be sure to chmod 0600 your lilo.conf file so normal users can't see the password. Hope this helps and Happy Hacking!
this is NOT a bug
I have RedHat and I've seen this starting with 5.1 to 7.1...i first read about it in a Naba Barkakati book "RedHat Linux Secrets" i guess. This is the way it should be.What if somebody hacks you and change your root password? ...What you can do is disable LILO so it won't ask for the OS/image you want to boot.
You guys have been a great help, I have also noticed that if you use a graphical boot loader (bootmagic, RedHats graphicsl loader) that you don't really have a chioce of passing arguements to lilo/grub.
Thanks for the help guys/girls
If you have problems with lilo,
you can load an active filesystem with any good bootdisk,
just load the active filesystem, and then edit lilo.conf, run lilo, and it should be fixed.