Just wondering? I is possible to include in the kernel code a block of code that asks for user password when single user level is used? What I foresee happening is that whatever code was executed before and after would happen as usual except that the execution of the program will stop and the scanf( ) statement request awaiting for an aswer that would then match some hardcoded password. Not the most secure because someone can look at the code but it wil certainly stop many. The question is what to do if the password is wrong? Who know what would happen. I suppose just exit without harm? or maybe not?
Just a though. Alvaro Zuniga On Friday 19 September 2003 12:18 pm, Dustin Puryear wrote: > At 11:13 AM 9/19/2003 -0500, you wrote: > >Is there a way to stop someone with physical access to the box from > > booting into single user mode and changing the root password? I'm not > > interested in solutions that require setting a boot or poweron password > > in the BIOS. I'd like something that could be done in the Linux kernel, > > so as to apply to multiple platforms. > > Well, this is a bit tricky. > > LILO = LILO, GRUB, or whatever. Also, go ahead and set the system to boot > only off the C: and then password protect any BIOS edits. A boot floppy or > CD will get around all of this. > > Case 1: LILO gives you a menu to get to single-user mode, but doesn't allow > custom boots. > > Use sulogin for run-level 1 in inittab. > > Case 2: You can use LILO to custom boot. > > You can't really protect against this. No matter what you do a user can > specify /bin/sh as the init process. You can still specify sulogin in > inittab, but that won't help against: > > lilo> linux ... init=/bin/sh > > Case 3: LILO gives you a menu to boot single-user mode, but password > protects ability to do a custom boot. > > This is pretty safe. Use sulogin in inittab for run-level 1, and provide a > menu item to boot into single user mode. To get to the custom boot menu the > user would have to enter yet another password. Can LILO do this? > > Case 4: LILO sucks, you can't do any of this. > > Set system to boot to C: only. Configure LILO to not display ANY menu and > to just boot a normal system. Create a boot floppy. When you need > single-user mode just edit the BIOS (you will need the password for editing > the BIOS), boot from floppy, and boot into single user mode. I would still > use sulogin in inittab, but an intelligent Linux user can still just do the > following if they can boot off a floppy: > > lilo> linux ... init=/bin/sh > > > Does this help? > > > --- > Dustin Puryear <[EMAIL PROTECTED]> > Puryear Information Technology, LLC <http://www.puryear-it.com> > Providing expertise in the management, integration, and > security of Windows and UNIX systems, networks, and applications. > > > _______________________________________________ > General mailing list > [email protected] > http://brlug.net/mailman/listinfo/general_brlug.net
