Disabling single user when booting

carcassonne · 07-20-2005, 06:46 PM

Hi all,

It is possible to 'trick' the normal booting sequence (when using lilo) and get a boot prompt asking mor eor less what to do. And then, at this boot prompt it is possible to say to run /bin/bash/ after booting the kernel thus evading all kind of user name and password queries. Once this is done the malicious user can change passwords, etc...

Can we disable this 'feature' ?

Thanks a lot for any suggestions !

spoore · 07-20-2005, 09:39 PM

It's possible (I think) to a certain extent but you will lose recoverability. You can adjust the settings in the inittab and redirect those runlevels to whatever runlevel you want. I believe this will change how a single user boot functions but I've never actually done it before. You'd have to test it.

If this is really a security problem for you, this won't really fix the real issue. The culprit could easily boot from floppy/cd and adjust those settings as well as anything else on your machine. That is unless you're using bios passwords and/or encrypted file systems.

Now from a lilo perspective, I think it just passes the run level and the init process determines what level to run at. I'm not sure though. I'd still say test the inittab settings for single user if you can. There may be a way to set single user mode to request root's password the way some Solaris single user boots do. That may be something to search for as well.

Scott

primo · 07-20-2005, 09:50 PM

with lilo, you may password protect the boot prompt.. You must set
restricted
password=""
in your boot partition/s

See lilo(8)

broch · 07-21-2005, 09:30 AM

Quote:

with lilo, you may password protect the boot prompt..

and next use Knopix CD and your password is worthless (It is easy to reset password if one has physical access to your computer)

primo · 07-21-2005, 12:27 PM

Quote:

Originally posted by broch
and next use Knopix CD and your password is worthless (It is easy to reset password if one has physical access to your computer)

Of course, you must password-protect your bios too, after setting the boot sequence to your hard drive always 1st

broch · 07-21-2005, 01:13 PM

Quote:

Of course, you must password-protect your bios too, after setting the boot sequence to your hard drive always 1st

Yeah, open box, remove battery for a minute or so, put battery back and boot up from Knopix. If there is physical access all to the box it is impossible to fully ptotect it. Use separate logins to protect individual users, but if someone want to get to your box without permission and has physical access you may be in trouble.

primo · 07-21-2005, 02:55 PM

Quote:

Originally posted by broch
Yeah, open box, remove battery for a minute or so, put battery back and boot up from Knopix. If there is physical access all to the box it is impossible to fully ptotect it. Use separate logins to protect individual users, but if someone want to get to your box without permission and has physical access you may be in trouble.

This has been discussed countless of times. Everyone with physical access may do many things at will. Anyway, you can protect your sensitive data encrypting your hard drive (for laptop users it's a must)