Security for /etc/lilo.conf
Results 1 to 6 of 6

Thread: Security for /etc/lilo.conf

  1. #1
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901

    Exclamation Security for /etc/lilo.conf

    A little tip for physical security inside the /etc/lilo.conf


    Anyone who uses lilo as a boot manager, has the option to edit a line at the lilo prompt aswell as choosing the available options.

    If at the lilo prompt, let us say you were to type in

    init=/bin/bash

    that would open a direct root shell on the machine, making it possible to copy the /etc/shadow onto a floppy in order to crack it at a later point. To prevent that, inside /etc/lilo.conf edit the following lines.

    password = hard_to_guess_password_here

    restricted

    The first option (password) will ask for the password every time you reboot the computer in order to choose an option, or to enter a syntax in lilo. Now, what if its on a server, the power fails, and it reboots automatically and no one is there to enter the lilo password. This is where the second line is important.

    restriced

    meaning that it will only ask for a password if you try to enter a line such as ( init=/bin/bash) or any other command (you can still choose the standard available options without the need to enter a password, letting the computer reboot normally by itself). This is an important step for computers which are accesible physically. The same applies for the GRUB boot manager.

    Hope this helps.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    even worse: init=/sbin/passwd
    and right after boot the box asks you to enter a (new) root password !!

    I used that trick on many a tux box.. (it was even noted in the SuSE book as a how-to-fix-after-forgetting-password !!)

    that's why my routers and servers don't have a lilo prompt (well among other reasons)
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    Well done, a clear and concise on topic post!

  4. #4
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    the_JinX, how very cool.

    I didnt know that with the init=/sbin/passwd . Proves again how important these lines inside /etc/lilo.conf really are.

    that's why my routers and servers don't have a lilo prompt (well among other reasons)
    What other reasons are you reffering to there?




    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  5. #5
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Faster boot time ( I only use one operating system and one verson of the kernel, so why choose )

    It is my personal opinion that when you don't need something you should disable it, else it might couse trouble later on..

    And I don't need the prompt for repairs, I always have my bootable "rescue" distro ready..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  6. #6
    Member
    Join Date
    Dec 2002
    Posts
    88
    Don't forget to make sure noone can read you pretty nice lilo.conf with password. You could also go one step further and protect it and other files with chattr . See the man page for more info, there are really nice modes, like immutable and append-only (could be useful for logs.. hehe ).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •