lilo has the restricted flag that I usually use to allow normal booting
without a password, but requires a password if any parameters are used.
Many new BIOSes can have two separate passwords (supervisor and user)
and only allow a floppy boot on supervisor (of course you can clear the
CMOS, but that requires removing the case).
It is possible to make a casual attack difficult if not impossible; all
of the methods discussed here require a reboot, which on a critical
machine will not go unnoticed, if anything just seeing the uptime reset
might spark curiosity and the admin might find the rootkit, or whatever.
--MonMotha
Dustin Cross wrote:
I know several ways to get root with physical access, but I didn't know
about using lilo like this or how to secure it. This is useful if you have
linux workstations and want to make sure employees/users can't do things
they shouldn't.
Most of us know to set a bios/prom password so users can't boot floppy or
CD to get access.
This type of information won't protect us from a ruthless blackhat, but
will help keep authorized users inline.
Dusty
