Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 10059 - suggestion how to close well-known hole
suggestion how to close well-known hole
Product: Red Hat Linux
Classification: Retired
Component: lilo (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Michael K. Johnson
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-03-08 09:43 EST by Sergey
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-03-08 09:43:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Sergey 2000-03-08 09:43:05 EST
By default there are at list 3 ways to boot into Redhat Linux with root
rights but without password by passing via lilo parameters to the kernel:

linux s
linux init=/bin/bash
linux root=/dev/fd0

If somebody thinks it is OK, then what the root password is for ?
Why not BY DEFAULT add option to lilo.conf which would disable passing ANY
options to kernel. , or worse, ask about lilo password during installation
informing that it's storing is insecure and doing chmod 600 /etc/lilo.conf
You see, many people install Redhat , time is passing, but they still don't
know about this stupid vulnerability.
Caldera and Suse ask for root password when booting into single mode.
It is easy to add some features to installation CD, so that those who
forgot there root password and don't know what to do could just boot from
CD, answer "yes" to a question about automatic mounting of all founded ext2
partitions,....  - no need to keep default vulnerability because of such
Comment 1 Trond Eivind Glomsrxd 2002-01-18 12:18:24 EST
Read the docs, you can set a boot password in lilo.conf - "man lilo.conf",
search for password.

Note You need to log in before you can comment on or make changes to this bug.