[brlug-general] Is there a kernel patch to stop single user mode?

Dustin Puryear dpuryear at usa.net
Fri Sep 19 12:18:47 CDT 2003 

At 11:13 AM 9/19/2003 -0500, you wrote:

>Is there a way to stop someone with physical access to the box from booting
>into single user mode and changing the root password? I'm not interested in
>solutions that require setting a boot or poweron password in the BIOS. I'd
>like something that could be done in the Linux kernel, so as to apply to
>multiple platforms.

Well, this is a bit tricky.

LILO = LILO, GRUB, or whatever. Also, go ahead and set the system to boot 
only off the C: and then password protect any BIOS edits. A boot floppy or 
CD will get around all of this.

Case 1: LILO gives you a menu to get to single-user mode, but doesn't allow 
custom boots.

Use sulogin for run-level 1 in inittab.

Case 2: You can use LILO to custom boot.

You can't really protect against this. No matter what you do a user can 
specify /bin/sh as the init process. You can still specify sulogin in 
inittab, but that won't help against:

lilo> linux ... init=/bin/sh

Case 3: LILO gives you a menu to boot single-user mode, but password 
protects ability to do a custom boot.

This is pretty safe. Use sulogin in inittab for run-level 1, and provide a 
menu item to boot into single user mode. To get to the custom boot menu the 
user would have to enter yet another password. Can LILO do this?

Case 4: LILO sucks, you can't do any of this.

Set system to boot to C: only. Configure LILO to not display ANY menu and 
to just boot a normal system. Create a boot floppy. When you need 
single-user mode just edit the BIOS (you will need the password for editing 
the BIOS), boot from floppy, and boot into single user mode. I would still 
use sulogin in inittab, but an intelligent Linux user can still just do the 
following if they can boot off a floppy:

lilo> linux ... init=/bin/sh


Does this help?


---
Dustin Puryear <dustin at puryear-it.com>
Puryear Information Technology, LLC <http://www.puryear-it.com>
Providing expertise in the management, integration, and
security of Windows and UNIX systems, networks, and applications.

More information about the General mailing list