Is this a Linux security flaw ?
If I press Ctrl+X at the LILO prompt during bootup and type this string at the boot prompt:
"linux init s"
where "linux" is the boot partition label, I enter into single user mode. The security glitch is that anybody can type passwd at the shell prompt and Linux promptly allows the root password to be changed. Is this a strength or a weakness of Linux?
Can I disable this feature?
There are a lot of aspects of a default configuration that could be considered security holes, and what you're describing is certainly one of the more well-known. The key word is default though, because the system admin can close the hole you describe by modifying the bootloader's config file and mucking around with a few file attributes.
Some have also argued the exploit you describe can be considered kind of moot, because someone attempting to crack your system in that way has to have physical access to the system. If they do have physical access to your box, what's to stop them from just removing your hard drive and putting it in another computer (which would bypass the bootloader altogether)?
- just my $0.02...
<edit> Instructions for securing Lilo (and more) </edit>
add the word
and rerun lilo
|All times are GMT -5. The time now is 10:23 PM.|