[2279] in RedHat Linux List
Re: Is "linux single" a security concern?
daemon@ATHENA.MIT.EDU (Joerg Mertin)
Fri Nov 1 21:41:40 1996
From: smurphy@stardust.bln.sub.org (Joerg Mertin)
To: redhat-list@redhat.com
Date: Fri, 1 Nov 1996 10:43:50 +0100 (MET)
Reply-To: smurphy@antares.zrz.TU-Berlin.DE
In-Reply-To: <199610312153.OAA03844@amphlem.corp.apple.com> from "Eric S. Pulley" at "Oct 31, 96 01:53:21 pm"
Resent-From: redhat-list@redhat.com
According to Eric S. Pulley:
>
> >I booted my box to try out the "linux single" lilo option, and I'm concerned
> >that the resulting unprotected root shell is a fairly serious security
> >concern.
> >
> >Not all machines can be physically secured (e.g. in a large office building,
> >perhaps) and it seems that it would be a trivial way to gain root access to
> >any Linux box.
> >
> Yes this is a security hole but it can be fixed somewhat with a password=
> line in you lilo.conf. which will cause lilo to have a password
Well, I'm doing it differently. There's a programm, notably found in
the shadow-packages, that can also be compiled for normal Passwoords,
called "sulogin". I use them on all my Systems. once installed, put
the Following lines in your /etc/inittab:
# Shell to run in single user mode.
~~:S:wait:/sbin/sulogin
and the following into the /etc/rc.d/rc.sysinit
echo "*** An error occurred during the file system check."
echo "*** Dropping you to a shell; the system will reboot"
echo "*** when you leave the shell."
PS1="(Repair filesystem) #"; export PS1
/sbin/sulogin <- This line !!!
echo "Automatic reboot in progress."
reboot
It is a login programm, that asks for root's password as soon as
invoqued. You folks should compile it statically, since a missing libc
will not let you got into your system without boot-root disks.
I had to do thism, since too many of ma users have good LiNUX
knowledge, and some already went in as root :( After including this
and checking the /etc/passwd file, ~root/.rhosts and NIS Database on
all Systems, also changing the root password, none went in anymore :)
Of course, the BIOS has tobe password protected, floppy Boot disabled,
and the lilo in all stages restricted,since anyone could boot the
kernel using the root= parameter. BTW: The lilo.conf file has to be
chmod'ed to 600, since passwords are plain text in there.
cu
--
`*** Fatal Error: Found [MS-Windows] -> Repartitioning Disk for LiNUX...'
------------------------------------------------------------------------
| Joerg Mertin : smurphy@linux.de (Home) |
| in Berlin Spandau at : joerg@pc50.zrz.tu-berlin.de |
| Stardust's LiNUX System : Data, Fax & Voice 49 30 3627345 |
| PGP 2.6.2i Key on Demand : ZyXEL Link |
------------------------------------------------------------------------
PGP Key fingerprint = C6 3F A3 12 D7 EE 60 27 88 A0 01 E6 0B 11 45 67
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
________________________________________________________________________
http://www.redhat.com/RedHat-FAQ http://www.redhat.com/RedHat-Errata
http://www.redhat.com/RedHat-Tips http://www.redhat.com/mailing-lists
------------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe redhat-list-request@redhat.com < /dev/null
