> Storing a password in clear text in /etc/lilo.conf seems like the worst
> possible solution. Even if I 'chmod 0600 /etc/lilo.conf' I have complete
> faith in the ability of a determined undergraduate student, with copious
> amounts of spare time, to find a way to subvert the file permissions. Hence
> gaining the 'boot time' password, booting in single user mode and wreaking
> havoc on the world at large.
if you "chmod 600" /etc/lilo.conf that said student would need root
access or a root exploit (and if they had that, why bother with the lilo
password). if you can stay on top of any security alerts and are careful
with what you install on the machine then you should not be more
concerned about the students then you would be about external attacks.
however that level of concern will always be > 0...
> Perhaps I could add the password option to lilo.conf, run lilo, then remove
> the password option... does lilo store the password on the MBR? If so, is it
> encrypted?
I know LILO normally stores everything in the MBR but i am not so sure
about encrypting it...
later
marty
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
