Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am a Linux user and a Green Linux website owner. I know that there is a "vulnerability" in the Linux boot managers which allows anyone with physical access to the computer to change the "Root" password.
Can someone please describe in detail the steps required to secure both Lilo and Grub, so I can upload it to my website? As far as I know it involves setting up a password so that boot managers will not boot in single user mode without this password.
I don't know about Grub, never used it, but for lilo, you need to add the following to your lilo.conf file:
You can add these globally or to specific images. You need to specify 'restricted' so the machine will be able to reboot normally (not single-user mode) without entering a password. Then when you run lilo, to re-install the boot loader, you'll be prompted to set the password.
You can find more info by running 'man lilo.conf'.
Don't lull yourself into thinking that this adds much security, however. Anyone with physical access to the box can still use a boot disk to get access.
BTW It seems rather suspicious that you continually refer to doing this remotely, yet you're concerned about restricting those with physical access to the machine.
Before I get to the point, I would like to make a remark:
As soon as someone has physical access to the server, it will not help you protecting the boot manager with a password if there is a CD or floppy drive present. Using a bootable CD or floppy, everyone can get around your well-protected boot manager. Disabling those drives and setting a bios passwort will make it a little harder to get around this.
OK, here's a grub configuration:
simply set the parameter password=***** in menu.lst
If you would like to use an encryted password, you need to create it first on a console with the command grub-md5-crypt, this you type/paste as password -md5 ***** in menu.lst.
If you would like to have different menus for the adminstrator and user, add the 'alternative' menu.lst to the password line:
Well I agree with what everyone else said. If anyone gets physical access to your box, you're already screwed, so why disable single-user? Its increibly handly for un-borking your system if you don't something stupid.
Single-User mode is used for a system recovery. However, by default, no authentication is used if single-user mode is selected. This can be used to bypassing security on the server and gaining root access. To enable authentication for single-user mode, open the /etc/inittab, file:
# vi /etc/inittab
Add the following line to the file:
Save and close the file.
PS: This method is just for education purpose only. As stated above there is no use of preventing Single-User Mode if physical accessibility is there.
ashvaibhav, please don't bring dead threads back to life (necroposting). We value your time and energy, and encourage you to spend it helping members with current issues. I'm closing this zombie thread so it may rest in peace.