Hi, just stepped on this option to type "linux init=/bin/sh" at the boot prompt, which gives me a root shell. For me, that's really a security problem: We have some computers here which we cannot protect with boot-passwords because they have to come up automatically after a power drop. Can I somehow disable this possibility of passing an alternative init-parameter for my SuSE 6.4? Best regards, Frank -- Dipl.-Inform. Frank Steiner mailto:fst@informatik.uni-kiel.de Lehrstuhl f. Programmiersprachen mailto:fsteiner@web.de CAU Kiel, Olshausenstraße 40 Phone: +49 431 880-7265, Fax: -7613 D-24098 Kiel, Germany http://www.informatik.uni-kiel.de/~fst/
Hi!
just stepped on this option to type "linux init=/bin/sh" at the boot prompt, which gives me a root shell. For me, that's really a security problem: We have some computers here which we cannot protect with boot-passwords because they have to come up automatically after a power drop. Can I somehow disable this possibility of passing an alternative init-parameter for my SuSE 6.4?
this is from SuSE /etc/lilo.conf: # Start LILO global Section # If you want to prevent console users to boot with init=/bin/bash, # restrict usage of boot params by setting a passwd and using the option # restricted. password=password restricted good luck! Yuri.
The simple fact is that if someone has physical access to your box they OWN it. Anything you put on it can be easily defeated. M
The simple fact is that if someone has physical access to your box they OWN it. Anything you put on it can be easily defeated.
Ok see this is a basic fallacy. The proper statement would be: Anyone willing to make enough effort WILL be able to break into your system. So what you want to do is either make it hard enough that they aren't willing to spend the effort, or slow them down enough so that you can respond. For example banks: Banks use a heavy steel vault. Why? Not because it can't be broken into, given enough time and a plasma torch I can get in. What they do is slow me down enough that police have plenty of time to respond to the alarm, when people with guns show up and tell me to assume the felon position that is the end of my attempt to break into the vault. Case in point: a friend uses a small computer lab on campus for grads. They have a Linux fileserver, it is reasonably secure, they don't have root, etc. Now I looked at it and said "I can break into it in less then 10 seconds and I don't need to know anything about the machine". My friends disbelieved me. So I hit ctrl-alt-del to reboot it (this is a LOT nicer then hitting the reset button =), and typed "linux single" at the boot prompt, rats, foiled by sulogin. Ok, hit ctrl-alt-del again and typed "linux init=/bin/sh", haha, a root prompt. all in under 10 seconds. Now if LILO had been properly secured I would have to bring boot media with me (not something I usually carry around), and if the BIOS was secure I'd have to bring my list of BIOS passwords (which won't always work, especially on newer machines), and boot media, and spend a LOT longer breaking in (by which someone might notice the server is down and have walked over to it to investigate).
M
-Kurt
* Kurt Seifried wrote on Tue, Sep 26, 2000 at 15:11 -0600:
"I can break into it in less then 10 seconds and I don't need to know anything about the machine". [...] passwords (which won't always work, especially on newer machines), and boot media, and spend a LOT longer breaking in (by which someone might notice the server is down and have walked over to it to investigate).
:) Yep, and finally there are screwdrivers ;) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Oh that has been around for some time. How about editing lilo.conf to say password=password restricted this way you can not pass options to lilo unless you know the password. Also you can as well set the timeout to zero. Don't forget the restricted entry otherwise you machien won't boot without a password. On Tue, 26 Sep 2000, Frank Steiner wrote:
Hi,
just stepped on this option to type "linux init=/bin/sh" at the boot prompt, which gives me a root shell. For me, that's really a security problem: We have some computers here which we cannot protect with boot-passwords because they have to come up automatically after a power drop. Can I somehow disable this possibility of passing an alternative init-parameter for my SuSE 6.4?
Best regards, Frank
-- Dipl.-Inform. Frank Steiner mailto:fst@informatik.uni-kiel.de Lehrstuhl f. Programmiersprachen mailto:fsteiner@web.de CAU Kiel, Olshausenstra�e 40 Phone: +49 431 880-7265, Fax: -7613 D-24098 Kiel, Germany http://www.informatik.uni-kiel.de/~fst/
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Oh that has been around for some time. How about editing lilo.conf to say password=password restricted this way you can not pass options to lilo unless you know the password. Also you can as well set the timeout to zero. Don't forget the restricted entry otherwise you machien won't boot without a password.
Alas the timeout option is meaningless, ideally setting timeout=0 would make lilo accept no user input and boot straight to the default OS. perhaps this is a feature request. Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/
True since someone holding down a few keys can stop it and present the boot prompt but at least the password protection will help keep those who don't know it from passing parameters to lilo besides that /etc/lilo.conf had better be readable only by root otherwise that option is useless. On Wed, 27 Sep 2000, Kurt Seifried wrote:
Oh that has been around for some time. How about editing lilo.conf to say password=password restricted this way you can not pass options to lilo unless you know the password. Also you can as well set the timeout to zero. Don't forget the restricted entry otherwise you machien won't boot without a password.
Alas the timeout option is meaningless, ideally setting timeout=0 would make lilo accept no user input and boot straight to the default OS. perhaps this is a feature request.
Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/
* Kurt Seifried wrote on Wed, Sep 27, 2000 at 12:43 -0600:
Alas the timeout option is meaningless, ideally setting timeout=0 would make lilo accept no user input and boot straight to the default OS. perhaps this is a feature request.
AFAIK this is not 100% true, since they may situations when lilo do accept user input, and finally it's hard if the adminitrator needs to reboot with boot parameters like "single" or so. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Just came back from a few days out of my office and read all your answers and want to thank all of you for your help and ideas! For a first approach, the restricted-password helps a lot (ok, the problem mit bios master password and boot media, but...). So thank you all :-) Best regards, Frank -- Dipl.-Inform. Frank Steiner mailto:fst@informatik.uni-kiel.de Lehrstuhl f. Programmiersprachen mailto:fsteiner@web.de CAU Kiel, Olshausenstraße 40 Phone: +49 431 880-7265, Fax: -7613 D-24098 Kiel, Germany http://www.informatik.uni-kiel.de/~fst/
Alas the timeout option is meaningless, ideally setting timeout=0 would make lilo accept no user input and boot straight to the default OS. perhaps
* Kurt Seifried wrote on Wed, Sep 27, 2000 at 12:43 -0600: this
is a feature request.
AFAIK this is not 100% true, since they may situations when lilo do accept user input, and finally it's hard if the adminitrator needs to reboot with boot parameters like "single" or so.
Usually by the time you _need_ to boot into single user mode it's time to use a recovery disk/cd. I haven't really encountered any situation in the last few years where lilo being truly secure would have caused me grief, OTOH I sure wish I could make lilo secure (restricted and passwd are good, but more would be better). It's a basic C2 security requirement as well, for good reason.
oki,
Steffen
-Kurt
participants (6)
-
Frank Steiner
-
Kurt Seifried
-
Mr. M
-
semat
-
Steffen Dettmer
-
Yuri Robbers