Red Hat Bugzilla – Bug 10059
suggestion how to close well-known hole
Last modified: 2008-05-01 11:37:54 EDT
By default there are at list 3 ways to boot into Redhat Linux with root
rights but without password by passing via lilo parameters to the kernel:
If somebody thinks it is OK, then what the root password is for ?
Why not BY DEFAULT add option to lilo.conf which would disable passing ANY
options to kernel. , or worse, ask about lilo password during installation
informing that it's storing is insecure and doing chmod 600 /etc/lilo.conf
You see, many people install Redhat , time is passing, but they still don't
know about this stupid vulnerability.
Caldera and Suse ask for root password when booting into single mode.
It is easy to add some features to installation CD, so that those who
forgot there root password and don't know what to do could just boot from
CD, answer "yes" to a question about automatic mounting of all founded ext2
partitions,.... - no need to keep default vulnerability because of such
Read the docs, you can set a boot password in lilo.conf - "man lilo.conf",
search for password.