When I boot my 6.0 system into single user mode from lilo, (ie type "linux single" at the lilo prompt) init doesn't seem to run /sbin/sulogin and prompt me for a root password. Instead, it just drops to a root shell after running /etc/rc.d/rc.sysinit This means that anyone who can reboot the machine can get a root shell simply by starting the machine in single user mode. In my book, that is *very* bad.
Errr... afaik, it always worked that way... if you want access to single user mode restricted, use the "password" and "restricted" options in LILO
What I was referring to though was that init is supposed to run /sbin/sulogin when the init state is switch to single user mode. Documentation for init professes that this is what is supposed to happen (unless it can't find a valid root password hash). Clearly the documented behavior is different from the de facto behavior. So which one is correct?
single user mode is consistent with previous Red Hat Linux releases. The documentation does need fixed, however.
I'm evaluating RedHat 6.0 for use in the computer labs at the VU School of Engineering and discovered that it is trivial to bypass any security on an RH6.0 system due to the reported behavior. I was checking to see if this bug was already reported when I found this bug report. I'd like to suggest that, instead of changing the documentation, y'all change init to call sulogin as currently documented. Others like me, coming from a Sun environment, will be caught offguard by the current behavior and will, in all likelihood, report this as a security problem. I've reviewed the lilo.conf manual page and am unclear how to replicate the desired functionality (of using the current root password to control booting into single-user mode) with the use of "restricted" and "password".
1) Make sure /etc/lilo.conf is only readable/writable by root. 2) Add the following lines at the beginning of /etc/lilo.conf: restricted password=xxxxxx 3) Run lilo Voila! Now anybody can boot the machine but if somebody attempts to pass any arguments the the kernel (such as single), lilo would ask for the password (the one in the lilo.conf, not the root password, of course).
It just seems much simpler to make init run sulogin. That is the generally expected behavior and is much more secure in the first place. This only reinforces that RedHat has security turned off by default. Security should be on because people that install RedHat may not realize that anyone can come along and get root access without effort. It is just inviting disaster for some unsuspecting user.
Running sulogin at the single mode bootup would not make the system any more secure. Linux kernel accepts a really powerful option init=/path/to/program.\. By booting Linux with init=/bin/sh you would get the shell immediatelly no matter how the init is configured. The only protection against that is the password option in lilo.conf. However I agree that the default configuration is too unsecure. I think the correct solution is to make installer ask if the user wants to password-protect LILO.
I never thought of that, but it's a great idea... on the other hand, it's already possible to add parameters to lilo at installation time, and a good sysadmin should know how to restrict lilo before setting a linux box as a real production server.
This problem seems to have been resolved. Please reopen if I'm wrong.
1) Make sure /etc/lilo.conf is only readable/writable by root. 2) Add the following lines at the beginning of /etc/lilo.conf: restricted password=xxxxxx 3) Run lilo The above does not resolve the problem as one can easily type init=/path/to/program and the root prompt appears. This is not a problem when running only RedHat6.x, but it is a problem when you have a dual boot computer with NTLDR running. Is there going to be a patch for this ?