LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 10-27-2004, 07:57 AM   #1
LinuxSeeker
Member
 
Registered: Feb 2004
Location: Linuxland
Distribution: Ubuntu 5.10, KUbuntu 5.10, Mandrake 10.1 - Ubuntu 5.04 (Hoary)
Posts: 346

Rep: Reputation: 30
Preventing Linux from booting in Single User Mode


I am a Linux user and a Green Linux website owner. I know that there is a "vulnerability" in the Linux boot managers which allows anyone with physical access to the computer to change the "Root" password.

Can someone please describe in detail the steps required to secure both Lilo and Grub, so I can upload it to my website? As far as I know it involves setting up a password so that boot managers will not boot in single user mode without this password.

Thank you for your help.
 
Old 10-27-2004, 08:12 AM   #2
predator.hawk
Member
 
Registered: Aug 2004
Location: USA
Distribution: FreeBSD-5.4-STABLE
Posts: 252

Rep: Reputation: 30
Generaly, I prefer to have single user mode and as this is an attack which can only be done localy, as long as people have comman sense they should be fine =).
 
Old 10-27-2004, 02:28 PM   #3
LinuxSeeker
Member
 
Registered: Feb 2004
Location: Linuxland
Distribution: Ubuntu 5.10, KUbuntu 5.10, Mandrake 10.1 - Ubuntu 5.04 (Hoary)
Posts: 346

Original Poster
Rep: Reputation: 30
I understand, but I need to find out how to prevent the boot manager from loading the OS in single user mode to upload it in my website.
 
Old 10-28-2004, 06:07 AM   #4
Cerbere
Member
 
Registered: Dec 2002
Location: California
Distribution: Slackware & LFS
Posts: 799

Rep: Reputation: 33
I don't know about Grub, never used it, but for lilo, you need to add the following to your lilo.conf file:
Code:
password=""
restricted
You can add these globally or to specific images. You need to specify 'restricted' so the machine will be able to reboot normally (not single-user mode) without entering a password. Then when you run lilo, to re-install the boot loader, you'll be prompted to set the password.

You can find more info by running 'man lilo.conf'.

Don't lull yourself into thinking that this adds much security, however. Anyone with physical access to the box can still use a boot disk to get access.

BTW It seems rather suspicious that you continually refer to doing this remotely, yet you're concerned about restricting those with physical access to the machine.

Enjoy!
--- Cerbere
 
Old 10-28-2004, 06:34 AM   #5
abisko00
Senior Member
 
Registered: Mar 2004
Location: Munich
Distribution: SuSE, Ubuntu
Posts: 3,511

Rep: Reputation: 58
Before I get to the point, I would like to make a remark:

As soon as someone has physical access to the server, it will not help you protecting the boot manager with a password if there is a CD or floppy drive present. Using a bootable CD or floppy, everyone can get around your well-protected boot manager. Disabling those drives and setting a bios passwort will make it a little harder to get around this.

OK, here's a grub configuration:

simply set the parameter password=***** in menu.lst

If you would like to use an encryted password, you need to create it first on a console with the command grub-md5-crypt, this you type/paste as password -md5 ***** in menu.lst.

If you would like to have different menus for the adminstrator and user, add the 'alternative' menu.lst to the password line:

password -md5 $1$91nYZ/$6VqqiGwU74JXhKK9TngRD /boot/grub/secret-menu.lst

This information is from a german grub HowTO and I did not test it!

http://www.4demon.com/t_system/grub-howto.html

Last edited by abisko00; 10-29-2004 at 09:59 AM.
 
Old 10-28-2004, 03:33 PM   #6
Fenster
Member
 
Registered: Jul 2004
Location: Ireland
Distribution: Fedora Core 2
Posts: 70

Rep: Reputation: Disabled
Well I agree with what everyone else said. If anyone gets physical access to your box, you're already screwed, so why disable single-user? Its increibly handly for un-borking your system if you don't something stupid.
 
Old 10-29-2004, 09:50 AM   #7
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
You donšt have to entirely disable single user mode. set a secure enough password to enter single-user mode.
Don't know the procedure of hand.

As earlier stated, with physical access there is nothing called secure. The web a flooded with BIOS password recovery tools. Get a good lock on the server room, that should enhance the security.
 
Old 08-28-2009, 12:15 AM   #8
ashvaibhav
LQ Newbie
 
Registered: Aug 2008
Posts: 2

Rep: Reputation: 0
Enable Authentication for Single-User Mode

Single-User mode is used for a system recovery. However, by default, no authentication is used if single-user mode is selected. This can be used to bypassing security on the server and gaining root access. To enable authentication for single-user mode, open the /etc/inittab, file:
# vi /etc/inittab
Add the following line to the file:
~~:S:wait:/sbin/sulogin
Save and close the file.

PS: This method is just for education purpose only. As stated above there is no use of preventing Single-User Mode if physical accessibility is there.

Source:http://www.cyberciti.biz/tips/tips-t...le-access.html
 
Old 08-28-2009, 07:12 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
ashvaibhav, please don't bring dead threads back to life (necroposting). We value your time and energy, and encourage you to spend it helping members with current issues. I'm closing this zombie thread so it may rest in peace.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
single user mode while booting ravikumarG AIX 4 08-17-2005 01:57 AM
single user mode... navaladi Mandriva 2 12-26-2004 02:41 AM
linux single user mode and lilo installed failed ckamheng Slackware 1 11-27-2003 01:06 PM
single user mode ? wr3ck3d Slackware 5 03-29-2003 09:52 AM
What is single-user mode?? rbanonuevo Linux - Newbie 4 01-28-2002 12:17 PM


All times are GMT -5. The time now is 08:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration