lilo.conf

Printable View

January 20th, 2003, 10:29 AM
instronics

Security for /etc/lilo.conf

A little tip for physical security inside the /etc/lilo.conf

Anyone who uses lilo as a boot manager, has the option to edit a line at the lilo prompt aswell as choosing the available options.

If at the lilo prompt, let us say you were to type in

init=/bin/bash

that would open a direct root shell on the machine, making it possible to copy the /etc/shadow onto a floppy in order to crack it at a later point. To prevent that, inside /etc/lilo.conf edit the following lines.

password = hard_to_guess_password_here

restricted

The first option (password) will ask for the password every time you reboot the computer in order to choose an option, or to enter a syntax in lilo. Now, what if its on a server, the power fails, and it reboots automatically and no one is there to enter the lilo password. This is where the second line is important.

restriced

meaning that it will only ask for a password if you try to enter a line such as ( init=/bin/bash) or any other command (you can still choose the standard available options without the need to enter a password, letting the computer reboot normally by itself). This is an important step for computers which are accesible physically. The same applies for the GRUB boot manager.

Hope this helps.
January 20th, 2003, 11:16 AM
the_JinX

even worse: init=/sbin/passwd
and right after boot the box asks you to enter a (new) root password !!

I used that trick on many a tux box.. (it was even noted in the SuSE book as a how-to-fix-after-forgetting-password !!)

that's why my routers and servers don't have a lilo prompt (well among other reasons)
January 20th, 2003, 03:25 PM
don

Well done, a clear and concise on topic post!
January 20th, 2003, 03:34 PM
instronics

the_JinX, how very cool.

I didnt know that with the init=/sbin/passwd . Proves again how important these lines inside /etc/lilo.conf really are.

Quote:

that's why my routers and servers don't have a lilo prompt (well among other reasons)

What other reasons are you reffering to there?

Cheers.
January 20th, 2003, 03:50 PM
the_JinX

Faster boot time ( I only use one operating system and one verson of the kernel, so why choose )

It is my personal opinion that when you don't need something you should disable it, else it might couse trouble later on..

And I don't need the prompt for repairs, I always have my bootable "rescue" distro ready..
January 29th, 2003, 12:08 AM
tatui

Don't forget to make sure noone can read you pretty nice lilo.conf with password. You could also go one step further and protect it and other files with chattr :) . See the man page for more info, there are really nice modes, like immutable and append-only (could be useful for logs.. hehe ). :cool: