Protect against root password change
 

I have recently had to force a change of the root password on a linux box I was running. It was a test system which I had not used in a while, so I forgot the root password (not so smart).

Anyway, I found that it was amazingly easy to reset the root password. Here is a straight forward article on how to do it.
http://aplawrence.com/Linux/lostlinuxpassword.html

My question is: how can you protect against this? I see this as a security hole.

I understand that the user must have physical access to the computer, but if I want to lock the system down so you cannot easily enter single user mode or the root password cannot be changed.

Regards, Eric.

prevent single user mode
 

You can lock the bios so they cant boot from cd, then install your system with no boot loader.

sopiaz57:

Thanks for the reply. How would you safley remove the boot loader from an existing system?

Eric

Errh... how would you boot the system without a boot loader then?

It's also possible to password protect lilo (don't know about grub) so that entering the single user mode requires a password. I believe it was password="password" in the lilo.conf. You need to run lilo afterwards in order for the password protection to take effect. Also remember to change the permissions of the lilo.conf so that it's only readable by root.

Finally prevent booting from CD, USB, and floppy (if you have one) from your machine's bios.

alienDog:

Good point, no boot loader = no boot. I have never had issues with the boot process and therefor I do not know much about Linux boot loaders. I also assumed sopiaz57 knew what he was talking about.

How can I add a password to the boot loader. I am using lilo.

Eric

And don't forget to weld the box shut so the cmos battery can't be pulled which would reset the bios including the bios password. Seriously, with physical access total security is close to impossible. And yes, you can set a password in grub.

This is how you set it:

1. add a line that says:

password="yourpassword"

to your /etc/lilo.conf.

2. chmod 600 /etc/lilo.conf to make it readable by root only (otherwise users will be able to see the lilo password).

3. run /sbin/lilo

I think makuyl has an excellent point - if the machine is located in an area where unauthorized people have physical access to it, then that's a much more serious problem than the possibilty that someone might want to try to change the root PW. Ideally, all critical machines should be in a locked and alarmed room, or at least a locked cage, with only authorized people having access. As you indicated, if you want to make sure that people cannot easily use the single user method or change the PW, but the machine somewhere where all access to it is denied unless the person has proper authorization.

Thanks, great replies.

That is very true indeed. Unfortunately it's not always possible to keep the machine(s) in a "secure environment". Especially laptops that are moved around a lot are problematic. Luckily it's often possible to obtain reasonable amount of security even with laptops by taking care of the beforementioned things. Of course that doesn't help much if the whole machine gets stolen... It will hoever be completely useless to the person that steals it since (s)he can't even get it to boot, so maybe that will give the "victim" at least some level of emotional satisfaction ;)

If the entire machine is stolen, it's a simple matter to put the hard drive into a different machine, mount it, and disable the security settings. Granted, it's probably beyond the ability of your average laptop theif, but easily possible. Also, BIOS passwords can usually be reset by removing the CMOS battery from the motherboard or setting a jumper.

In short, if your data must be kept secret, keep it on a server in a secure location. Failing that, at least encrypt the data (either at the file or filesystem level). Fact is, an attacker with physical access to a computer can easily get administrative access, regardless of the operating system.