LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-16-2005, 11:49 AM   #1
ejennings_98
Member
 
Registered: Sep 2003
Location: Canada, West Coast
Distribution: Mandriva 2012.1 i586 & x86_64
Posts: 69

Rep: Reputation: 15
Protect against root password change


I have recently had to force a change of the root password on a linux box I was running. It was a test system which I had not used in a while, so I forgot the root password (not so smart).

Anyway, I found that it was amazingly easy to reset the root password. Here is a straight forward article on how to do it.
http://aplawrence.com/Linux/lostlinuxpassword.html

My question is: how can you protect against this? I see this as a security hole.

I understand that the user must have physical access to the computer, but if I want to lock the system down so you cannot easily enter single user mode or the root password cannot be changed.

Regards, Eric.
 
Old 11-16-2005, 12:16 PM   #2
sopiaz57
Member
 
Registered: Apr 2003
Distribution: RH 8
Posts: 246

Rep: Reputation: 30
prevent single user mode

You can lock the bios so they cant boot from cd, then install your system with no boot loader.
 
Old 11-16-2005, 12:35 PM   #3
ejennings_98
Member
 
Registered: Sep 2003
Location: Canada, West Coast
Distribution: Mandriva 2012.1 i586 & x86_64
Posts: 69

Original Poster
Rep: Reputation: 15
sopiaz57:

Thanks for the reply. How would you safley remove the boot loader from an existing system?

Eric
 
Old 11-19-2005, 09:19 AM   #4
alienDog
Member
 
Registered: Apr 2004
Location: Europe
Distribution: Debian, Slackware
Posts: 505

Rep: Reputation: 46
Errh... how would you boot the system without a boot loader then?

It's also possible to password protect lilo (don't know about grub) so that entering the single user mode requires a password. I believe it was password="password" in the lilo.conf. You need to run lilo afterwards in order for the password protection to take effect. Also remember to change the permissions of the lilo.conf so that it's only readable by root.

Finally prevent booting from CD, USB, and floppy (if you have one) from your machine's bios.

Last edited by alienDog; 11-19-2005 at 09:28 AM.
 
Old 11-20-2005, 02:12 PM   #5
ejennings_98
Member
 
Registered: Sep 2003
Location: Canada, West Coast
Distribution: Mandriva 2012.1 i586 & x86_64
Posts: 69

Original Poster
Rep: Reputation: 15
alienDog:

Good point, no boot loader = no boot. I have never had issues with the boot process and therefor I do not know much about Linux boot loaders. I also assumed sopiaz57 knew what he was talking about.

How can I add a password to the boot loader. I am using lilo.

Eric
 
Old 11-20-2005, 02:18 PM   #6
makuyl
Senior Member
 
Registered: Dec 2004
Location: Helsinki
Distribution: Debian Sid
Posts: 1,107

Rep: Reputation: 53
And don't forget to weld the box shut so the cmos battery can't be pulled which would reset the bios including the bios password. Seriously, with physical access total security is close to impossible. And yes, you can set a password in grub.
 
Old 11-20-2005, 02:24 PM   #7
alienDog
Member
 
Registered: Apr 2004
Location: Europe
Distribution: Debian, Slackware
Posts: 505

Rep: Reputation: 46
This is how you set it:

1. add a line that says:

password="yourpassword"

to your /etc/lilo.conf.

2. chmod 600 /etc/lilo.conf to make it readable by root only (otherwise users will be able to see the lilo password).

3. run /sbin/lilo
 
Old 11-20-2005, 05:31 PM   #8
J.W.
LQ Veteran
 
Registered: Mar 2003
Location: Milwaukee, WI
Distribution: Mint
Posts: 6,642

Rep: Reputation: 69
I think makuyl has an excellent point - if the machine is located in an area where unauthorized people have physical access to it, then that's a much more serious problem than the possibilty that someone might want to try to change the root PW. Ideally, all critical machines should be in a locked and alarmed room, or at least a locked cage, with only authorized people having access. As you indicated, if you want to make sure that people cannot easily use the single user method or change the PW, but the machine somewhere where all access to it is denied unless the person has proper authorization.
 
Old 11-20-2005, 07:35 PM   #9
ejennings_98
Member
 
Registered: Sep 2003
Location: Canada, West Coast
Distribution: Mandriva 2012.1 i586 & x86_64
Posts: 69

Original Poster
Rep: Reputation: 15
Thanks, great replies.
 
Old 11-20-2005, 08:39 PM   #10
alienDog
Member
 
Registered: Apr 2004
Location: Europe
Distribution: Debian, Slackware
Posts: 505

Rep: Reputation: 46
Quote:
Originally posted by J.W.
I think makuyl has an excellent point - if the machine is located in an area where unauthorized people have physical access to it, then that's a much more serious problem than the possibilty that someone might want to try to change the root PW. Ideally, all critical machines should be in a locked and alarmed room, or at least a locked cage, with only authorized people having access. As you indicated, if you want to make sure that people cannot easily use the single user method or change the PW, but the machine somewhere where all access to it is denied unless the person has proper authorization.
That is very true indeed. Unfortunately it's not always possible to keep the machine(s) in a "secure environment". Especially laptops that are moved around a lot are problematic. Luckily it's often possible to obtain reasonable amount of security even with laptops by taking care of the beforementioned things. Of course that doesn't help much if the whole machine gets stolen... It will hoever be completely useless to the person that steals it since (s)he can't even get it to boot, so maybe that will give the "victim" at least some level of emotional satisfaction
 
Old 11-20-2005, 09:01 PM   #11
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,109

Rep: Reputation: 312Reputation: 312Reputation: 312Reputation: 312
If the entire machine is stolen, it's a simple matter to put the hard drive into a different machine, mount it, and disable the security settings. Granted, it's probably beyond the ability of your average laptop theif, but easily possible. Also, BIOS passwords can usually be reset by removing the CMOS battery from the motherboard or setting a jumper.

In short, if your data must be kept secret, keep it on a server in a secure location. Failing that, at least encrypt the data (either at the file or filesystem level). Fact is, an attacker with physical access to a computer can easily get administrative access, regardless of the operating system.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How could normal user obtain root password or change root password ckamheng Debian 18 02-18-2009 10:28 PM
How to protect Root password so it cannot be reset PAB Linux - Security 14 04-05-2005 07:05 AM
how do i change my root password? _leah_ Linux - Security 3 01-16-2005 03:33 PM
Password change for root? akihandyman Mandriva 1 08-25-2004 10:29 PM
Need to know how to change root password RIOMX Linux - Newbie 4 10-30-2003 09:35 AM


All times are GMT -5. The time now is 09:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration