Bug 7875

Summary: no root passwd prompt when booting single user mode: linux single
Product: [Retired] Red Hat Linux Reporter: williamsmw
Component: abootAssignee: Cristian Gafton <gafton>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: williamsmw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-12-20 17:25:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description williamsmw 1999-12-18 05:25:00 UTC
I had to boot single user mode today and realized I am not prompted for a
password.  This is a really bad security risk.

Makes the system extremely vulnerable.

To duplicate:  at the lilo prompt type:  linux single

I tested this on RedHat 6.1 and Mandrake 6.1 which both allowed access to
entire system as root without a password.

Tested this on Caldera 2.3 and Corel 1.0, of which these systems gave the
expected prompt:

Give root password for maintenance
(or type Control-D for normal startup):

I need this fixed ASAP to certify my systems.....


Mark Williams

Comment 1 Chris Siebenmann 1999-12-19 03:24:59 UTC
A system that allows arbitrary LILO arguments cannot be secured
by giving single-user mode a password; one can just boot with
'linux init=/bin/sh' and bypass all of those checks. The real
solution is to set /etc/lilo.conf up to not allow extra arguments
without a password. (And to force the BIOS to boot only from the
HD, and to password-protect the BIOS.)

Comment 2 Bill Nottingham 1999-12-20 17:25:59 UTC
What he said. ;)