Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
07-20-2005, 06:46 PM
|
#1
|
Member
Registered: Jul 2005
Distribution: Fedora6 x86_64
Posts: 118
Rep:
|
Disabling single user when booting
Hi all,
It is possible to 'trick' the normal booting sequence (when using lilo) and get a boot prompt asking mor eor less what to do. And then, at this boot prompt it is possible to say to run /bin/bash/ after booting the kernel thus evading all kind of user name and password queries. Once this is done the malicious user can change passwords, etc...
Can we disable this 'feature' ?
Thanks a lot for any suggestions !
|
|
|
07-20-2005, 09:39 PM
|
#2
|
LQ Newbie
Registered: Aug 2004
Posts: 23
Rep:
|
It's possible (I think) to a certain extent but you will lose recoverability. You can adjust the settings in the inittab and redirect those runlevels to whatever runlevel you want. I believe this will change how a single user boot functions but I've never actually done it before. You'd have to test it.
If this is really a security problem for you, this won't really fix the real issue. The culprit could easily boot from floppy/cd and adjust those settings as well as anything else on your machine. That is unless you're using bios passwords and/or encrypted file systems.
Now from a lilo perspective, I think it just passes the run level and the init process determines what level to run at. I'm not sure though. I'd still say test the inittab settings for single user if you can. There may be a way to set single user mode to request root's password the way some Solaris single user boots do. That may be something to search for as well.
Scott
|
|
|
07-20-2005, 09:50 PM
|
#3
|
Member
Registered: Jun 2005
Posts: 542
Rep:
|
with lilo, you may password protect the boot prompt.. You must set
restricted
password=""
in your boot partition/s
See lilo(8)
|
|
|
07-21-2005, 09:30 AM
|
#4
|
Member
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 465
Rep:
|
Quote:
with lilo, you may password protect the boot prompt..
|
and next use Knopix CD and your password is worthless (It is easy to reset password if one has physical access to your computer)
|
|
|
07-21-2005, 12:27 PM
|
#5
|
Member
Registered: Jun 2005
Posts: 542
Rep:
|
Quote:
Originally posted by broch
and next use Knopix CD and your password is worthless (It is easy to reset password if one has physical access to your computer)
|
Of course, you must password-protect your bios too, after setting the boot sequence to your hard drive always 1st
|
|
|
07-21-2005, 01:13 PM
|
#6
|
Member
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 465
Rep:
|
Quote:
Of course, you must password-protect your bios too, after setting the boot sequence to your hard drive always 1st
|
Yeah, open box, remove battery for a minute or so, put battery back and boot up from Knopix. If there is physical access all to the box it is impossible to fully ptotect it. Use separate logins to protect individual users, but if someone want to get to your box without permission and has physical access you may be in trouble.
|
|
|
07-21-2005, 02:55 PM
|
#7
|
Member
Registered: Jun 2005
Posts: 542
Rep:
|
Quote:
Originally posted by broch
Yeah, open box, remove battery for a minute or so, put battery back and boot up from Knopix. If there is physical access all to the box it is impossible to fully ptotect it. Use separate logins to protect individual users, but if someone want to get to your box without permission and has physical access you may be in trouble.
|
This has been discussed countless of times. Everyone with physical access may do many things at will. Anyway, you can protect your sensitive data encrypting your hard drive (for laptop users it's a must)
|
|
|
All times are GMT -5. The time now is 11:42 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|