Bug 2475 - sysvinit documentation is incorrect in reference to single-user mode
sysvinit documentation is incorrect in reference to single-user mode
Status: CLOSED WORKSFORME
Product: Red Hat Linux
Classification: Retired
Component: SysVinit (Show other bugs)
6.0
i386 Linux
high Severity medium
: ---
: ---
Assigned To: David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-05-01 17:45 EDT by gordon.m.tetlow
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-05-31 15:27:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description gordon.m.tetlow 1999-05-01 17:45:04 EDT
When I boot my 6.0 system into single user mode from lilo,
(ie type "linux single" at the lilo prompt) init doesn't
seem to run /sbin/sulogin and prompt me for a root password.
Instead, it just drops to a root shell after running
/etc/rc.d/rc.sysinit

This means that anyone who can reboot the machine can get a
root shell simply by starting the machine in single user
mode. In my book, that is *very* bad.
Comment 1 rmc 1999-05-03 15:28:59 EDT
Errr... afaik, it always worked that way...
if you want access to single user mode restricted, use the "password"
and "restricted" options in LILO
Comment 2 gordon.m.tetlow 1999-05-03 16:11:59 EDT
What I was referring to though was that init is supposed to run
/sbin/sulogin when the init state is switch to single user mode.
Documentation for init professes that this is what is supposed to
happen (unless it can't find a valid root password hash). Clearly the
documented behavior is different from the de facto behavior. So which
one is correct?
Comment 3 Bill Nottingham 1999-05-03 17:07:59 EDT
single user mode is consistent with previous Red Hat Linux releases.
The documentation does need fixed, however.
Comment 4 david.r.linn 1999-05-03 18:27:59 EDT
I'm evaluating RedHat 6.0 for use in the computer labs at the VU
School of Engineering and discovered that it is trivial to bypass
any security on an RH6.0 system due to the reported behavior.
I was checking to see if this bug was already reported when I found
this bug report.  I'd like to suggest that, instead of changing the
documentation, y'all change init to call sulogin as currently
documented.  Others like me, coming from a Sun environment, will
be caught offguard by the current behavior and will, in all
likelihood, report this as a security problem.  I've reviewed the
lilo.conf manual page and am unclear how to replicate the desired
functionality (of using the current root password to control booting
into single-user mode) with the use of "restricted" and "password".
Comment 5 Aleksey Nogin 1999-05-04 01:32:59 EDT
1) Make sure /etc/lilo.conf is only readable/writable by root.
2) Add the following lines at the beginning of /etc/lilo.conf:
restricted
password=xxxxxx
3) Run lilo

Voila! Now anybody can boot the machine but if somebody attempts to
pass any arguments the the kernel (such as single), lilo would ask for
the password (the one in the lilo.conf, not the root password, of
course).
Comment 6 gordon.m.tetlow 1999-05-04 12:02:59 EDT
It just seems much simpler to make init run sulogin. That is the
generally expected behavior and is much more secure in the first
place. This only reinforces that RedHat has security turned off by
default. Security should be on because people that install RedHat may
not realize that anyone can come along and get root access without
effort. It is just inviting disaster for some unsuspecting user.
Comment 7 Aleksey Nogin 1999-05-04 13:42:59 EDT
Running sulogin at the single mode bootup would not make the system
any more secure. Linux kernel accepts a really powerful option
init=/path/to/program.\. By booting Linux with init=/bin/sh you would
get the shell immediatelly no matter how the init is configured. The
only protection against that is the password option in lilo.conf.

However I agree that the default configuration is too unsecure. I
think the correct solution is to make installer ask if the user wants
to password-protect LILO.
Comment 8 rmc 1999-05-05 11:03:59 EDT
I never thought of that, but it's a great idea...
on the other hand, it's already possible to add parameters to lilo
at installation time, and a good sysadmin should know how to restrict
lilo before setting a linux box as a real production server.
Comment 9 Jeff Johnson 1999-05-31 15:27:59 EDT
This problem seems to have been resolved. Please reopen if I'm wrong.
Comment 10 asosin 2000-03-16 13:37:59 EST
1) Make sure /etc/lilo.conf is only readable/writable by root.
 2) Add the following lines at the beginning of /etc/lilo.conf:
 restricted
 password=xxxxxx
 3) Run lilo

The above does not resolve the problem as one can easily type
init=/path/to/program
and the root prompt appears.  This is not a problem when running only
RedHat6.x, but it is a problem when you have a dual boot computer with
NTLDR running.  Is there going to be a patch for this ?

Note You need to log in before you can comment on or make changes to this bug.