[224] in linux-security and linux-alert archive
LILO hole
daemon@ATHENA.MIT.EDU (David A. Blankenship)
Thu Apr 27 14:06:40 1995
Date: Tue, 25 Apr 1995 08:49:18 -0400
From: "David A. Blankenship" <dblanken@Paranor.pc.cc.cmu.edu>
To: linux-security@tarsier.cv.nrao.edu
[mod: Although the issue of subverting Linux by tweaking the boot sequence
has been discussed several times and the hole described below is in fact a
lilo feature described in the manual, I'm approving this because there
still seems to be some uncertainty among users on how to cope with this.
The method described below in combination with a BIOS password should
protect you from the more trivial types of attacks, I believe. --okir]
It seems that there is a rather amusing security hole in lilo. If you
enter 'linux single' at the boot prompt it boots linux single user. Doesn't
ask for a password or anything. Of course it also mounts the hard drive
read-only, but its very easy to remount it read/write.
Fortunately this is easy to fix. Just put a line in /etc/lilo.conf
password=your_password and reinstall lilo. This will ask you for a
password any time you boot up on any OS. If you don't like that, you can
put the word 'restricted' in front of the label of the OS you don't want
password protected. Then it will only ask for a password if you try to
put 'single' (or any other parameters) after the name at boot up.
I'm not sure how many versions of lilo this affects, but it's
worked on every one I've tried so far. I don't know about any of the
other distributions, but Slackware doesn't say anything about password
protecting lilo so any system with the default slackware distribution
should be vulnerable.
This is actually a pretty handy feature as long as you have it
passworded. Oh, and if you do put the password line in lilo.conf make
sure lilo.conf isn't world readable (there's no reason it should be) or
everyone will be able to see your password.
=============================================================================
"God is dead" |
--Nietzsche |
| David A. Blankenship ==\/==
"Nietzsche is dead" | dblanken@paranor.pc.cc.cmu.edu
--God |
