Re: How to restrict entering single user mode?

Thu, 24 Jun 1999 12:35:51 -0700 

Here's how I have mine setup.  I have the boot order in the bios to C
only, that is it will boot the primary IDE master disk ONLY, no floppy, no
cd, nothing except my linux boot disk.  I can password the bios setup
interface, I also have it set to not ask for a passwd on boot so it'll
boot normaly as long as you don't want to change any of the bios settings.
Then in my lilo.conf, I have... 

boot=/dev/hda
map=/boot/map
install=/boot/boot.b
password="myPassword"
default=linux
#prompt
#timeout=50
image=/boot/vmlinuz
        restricted
        label=linux
        root=/dev/root
        append="mem=192M ether=5,0x280,eth0 ether=9,0x300,eth1"
        read-only
image=/boot/vmlinuz.new
        restricted
        label=new_kernel
        root=/dev/root
        append="mem=192M ether=5,0x280,eth0 ether=9,0x300,eth1"
        read-only

The password line puts a password on the loading of the kernel, but the
restricted keyword tells it to only ask for a password if the options to
the kernel are changed.  One can boot the machine normaly without ANY
password, but if he wanted to change the options to the kernel, he would
have to enter a password.  The boot order in the bios prevents a user from
booting off of a floppy, and the bios password keeps him from changing
that.  Again, one could reset the bios, but there is only so much security
you can have against anybody that has physical access to your machine.
The mode on /etc/lilo.conf is 600, owned by root.root.  Another good thing
about not having a 'prompt' keyword in your lilo.conf, is it doesn't even
ask the user what to boot unless he holds the shift key during boot.  Most
script kiddies don't know this.

-CJO-

On Wed, 23 Jun 1999, Song Jianping wrote:

>Hello all,
>   Today someone login my linux box by single user mode, and changes
>   root password. It's very dangerous. Now i have to do the same thing
>   to change it back. Can I restrict the access to single user mode?
>   For example, asking for a password?
>
>   Thanks.
>
>Best regards
>Song.
>
>
>
>

                C.J. Oster (Linux Guru/Surge Addict)
------------------------------------------------------------------
| [EMAIL PROTECTED]   |     1003 S. 1st St.     |   CCSO, WSG, UIUC  |
| [EMAIL PROTECTED]  |   Champaign, IL 61820   |   L538 DCL, Urbana |
| ---------------------------------------------------------------|
|    PGP: 87D5 4216 43A1 42D6 754D  8F5E 24B3 992A B7A1 F556     |
------------------------------------------------------------------
                   (580)761-6393 (217)328-8934
      "Linux, for people with an IQ above 98" - Bumper Sticker
 "Hm, a little big for a cup holder... Why does it say '4x' on it?"

Reply via email to