[102525] in RedHat Linux List
Re: LILO Security problem
daemon@ATHENA.MIT.EDU (Kevin Smith)
Thu Dec 3 18:46:53 1998
Date: Thu, 3 Dec 1998 15:33:57 -0600 (EST)
From: Kevin Smith <kevin@mtsu.edu>
To: redhat-list@redhat.com
cc: scagnett@dimi.uniud.it
In-Reply-To: <199812031302.OAA29728@maxi>
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
On Thu, 3 Dec 1998, Ivan Scagnetto wrote:
> I am a Linux beginner. The first distribution I installed on my PC was
> Slackware 3.0 and I was quite happy with it. Recently I decided to move to
> RedHat 5.0 since my friends told me that it is more stable, it is well
> supported, the installation and removal of programs is easier etc.
> Indeed this is true, but there is a feature of RedHat 5.0 which appears to
> me a serious security hole: more precisely typing "single" after "linux"
> (or whatever label you have chosen to identify Linux OS) at the LILO
> promt everyone can access as root to the system without a password
> prompt!!!
> I cannot believe that there is a sysadmin that would allow to install such
> a system in a LAN since the security would be null.
> I hope that there is the possibility to fix it (in S.U.S.E. Linux there is
> also that feature, but the root password is asked for).
Well... there is an option with lilo to require a password to be entered
in order to specify ANY boot options (including 'single')... just make the
boot option "restricted", and supply a "Password=MYPASS" in the global
section... lilo will then require you to make the lilo.conf file
unreadable by others (since the password is in plain text), but it works
great... then disable boot from floppy and cdrom, and you are all set...
For more information, take a look at /usr/doc/lilo-*/README and search for
"restricted"
-----
Kevin Smith
kevin@mtsu.edu
17th Rule of Friendship:
A friend will refrain from telling you he picked up the same amount of
life insurance coverage you did for half the price when yours is
noncancellable.
-- Esquire, May 1977
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
