[99606] in RedHat Linux List
Re: Forget root password, help.
daemon@ATHENA.MIT.EDU (Kevin Smith)
Mon Nov 16 02:21:33 1998
Date: Mon, 16 Nov 1998 01:26:49 -0600 (EST)
From: Kevin Smith <kevin@mtsu.edu>
To: redhat-list@redhat.com
In-Reply-To: <199811160656.WAA08258@ann.qtpi.lakewood.ca.us>
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
On Sun, 15 Nov 1998, Bob Taylor wrote:
> > so why not take advantage of the "restricted" option of lilo, to prevent
> > people from passing options to the kernel (such as single) without putting
> > in a password...
>
> LILO > linux init=bash
>
> Oops! :-)
This is still caught by lilo if you set it up restricted... take the
following configuration for example:
--- cut here: begin lilo.conf ---
boot=/dev/hda
map=/boot/map-2.1.128
install=/boot/boot.b
prompt
password=YOURPASSHERE
timeout=50
image=/vmlinuz-2.1.128
label=linux
root=/dev/hda2
append="mem=256M"
restricted
read-only
--- cut here: end lilo.conf ---
This will prevent the user from entering ANYTHING except "linux" or just
pressing enter.. anything else (*** ANYTHING else ***) and they must enter
the password you specify, or lilo will not allow it...
In addition to this, disable boot from floppy, boot from cdrom, and throw
a password on bios, and you severly limit the methods of an easy root
shell via console access to your box...
Although there is no 100% safe way to configure your system to prevent
console users from gaining root access, this one does a pretty good job...
-----
Kevin Smith
kevin@mtsu.edu
If anything can go wrong, it will.
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
