10059 – suggestion how to close well-known hole

Bug 10059 - suggestion how to close well-known hole

Summary: suggestion how to close well-known hole

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	lilo
Sub Component:
Version:	6.1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Michael K. Johnson
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-03-08 14:43 UTC by Sergey
Modified:	2008-05-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2000-03-08 14:43:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sergey 2000-03-08 14:43:05 UTC

By default there are at list 3 ways to boot into Redhat Linux with root
rights but without password by passing via lilo parameters to the kernel:

linux s
linux init=/bin/bash
linux root=/dev/fd0

If somebody thinks it is OK, then what the root password is for ?
Why not BY DEFAULT add option to lilo.conf which would disable passing ANY
options to kernel. , or worse, ask about lilo password during installation
informing that it's storing is insecure and doing chmod 600 /etc/lilo.conf
You see, many people install Redhat , time is passing, but they still don't
know about this stupid vulnerability.
Caldera and Suse ask for root password when booting into single mode.
It is easy to add some features to installation CD, so that those who
forgot there root password and don't know what to do could just boot from
CD, answer "yes" to a question about automatic mounting of all founded ext2
partitions,....  - no need to keep default vulnerability because of such
people.

Comment 1 Trond Eivind Glomsrxd 2002-01-18 17:18:24 UTC

Read the docs, you can set a boot password in lilo.conf - "man lilo.conf",
search for password.

Note You need to log in before you can comment on or make changes to this bug.