[102529] in RedHat Linux List
Re: LILO Security problem
daemon@ATHENA.MIT.EDU (John Duquette)
Thu Dec 3 18:53:49 1998
To: redhat-list@redhat.com
In-Reply-To: Your message of "Thu, 03 Dec 1998 08:24:33 -0900."
<3666C951.B5D29BC2@nook.net>
Date: Thu, 03 Dec 1998 16:48:34 -0500
From: John Duquette <jduquette@icsa.net>
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
> Ivan Scagnetto wrote:
>
> > typing "single" after "linux"
> > (or whatever label you have chosen to identify Linux OS) at the LILO
> > promt everyone can access as root to the system without a password
> > prompt!!!
> > I cannot believe that there is a sysadmin that would allow to install such
> > a system in a LAN since the security would be null.
> > I hope that there is the possibility to fix it (in S.U.S.E. Linux there is
> > also that feature, but the root password is asked for).
>
> A reader suggested adding the lines "restricted" and "password=xx"
> to /etc/lilo.conf.
>
> While that works as far as it goes, let me reiterate: in a system
> that has physical access there is NO security.
>
> 1. If you put in a LILO password, it is possible to bypass it by
> booting from a floppy: into DOS or Linux.
>
> 2. If you password the BIOS, it only works at power-up. Check
> yours, but the ones I've seen do not bring the password up
> on a reboot.
>
> 3. If you get the BIOS to be password protected somehow, there
> is still the jumper to reset the bios.
>
> 4. The hard drive can be stolen and mounted on another system.
>
> Any sysadmin will tell you that the machine has to be locked up
> or in a trusted environment or security is not much use. I think
> that is a reasonable statement.
>
> --
> Ramon Gandia ==== Sysadmin ==== Nook Net ==== http://www.nook.net
> 285 West First Avenue rfg@nook.net
> P.O. Box 970 tel. 907-443-7575
> Nome, Alaska 99762-0970 ======================= fax. 907-443-2487
>
>
So will any security company....
--
John Duquette | "It is harder to preserve than to
Field Security Analyst | obtain liberty"
ICSA Inc. |
| - John C. Calhoun
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
