Recipe 12.21. Password-Protecting LILO
| < Day Day Up > |
12.21.1 ProblemYou don't want your users messing around with your carefully crafted bootloader configuration. You also want to prevent them from exploiting LILO's ability to allow root access without a password, which can easily be done by entering: linux single or: linux init=/bin/sh at the LILO prompt. 12.21.2 SolutionFirst, restrict lilo.conf to root only: # chmod 600 lilo.confThen password-protect LILO. In the global section of lilo.conf, make these entries: password="" restricted Re-run LILO to write the changes: # /sbin/lilo It will ask you to enter a password. Give it your root password. It will then create a /etc/lilo.conf.shs file, containing a password hash accessible only to root. Now when the system reboots, anyone trying to enter linux single or linux init=/bin/sh at the LILO prompt will be asked for the password. 12.21.3 DiscussionFor additional boot-time security, disable all external boot devices in the system BIOS, and use a BIOS password. This is not perfect after all, as we showed in Recipe 12.14 and Section 12.15, "Anyone with physical access to a box owns it." But it's good enough to keep ordinary users from mucking up the works. 12.21.4 See Also
|
| < Day Day Up > |
- Linking the IT Balanced Scorecard to the Business Objectives at a Major Canadian Financial Group
- A View on Knowledge Management: Utilizing a Balanced Scorecard Methodology for Analyzing Knowledge Metrics
- Technical Issues Related to IT Governance Tactics: Product Metrics, Measurements and Process Control
- Managing IT Functions
- Governing Information Technology Through COBIT