Red Hat Bugzilla – Bug 2748
Root shell without root password by booting in single user mode
Last modified: 2008-05-01 11:37:50 EDT
Any user can reboot a red hat linux system and type "linux single" at the lilo prompt and come with a root shell in single user mode. It is then a simple task to just edit /etc/shadow to change the root password, or, even worse, create a new user with a uid of zero. Then they reboot the system and security has been compromised. Now, one can say this is not a bug, because you can't protect a machine from someone with physical access. I.e. Anyone can get in with a bootdisk, or if booting from a disk is disabled in the bios, then they just swapp the hard drive to another system and mount it. However, in the initscripts where the filesystems are mounted and checked, care is taken to not bump out to a root shell without asking for the root password. (See where /etc/rc.d/rc.sysinit calls sulogin.) But I think the better argument that this security hole is way too easy to use. This could get around to users who might have fun saying, "look at me hack your Linux desktop in two min flat without any real tools." This is just the thing that could by hyped by some annoying media outlet like ZD-Net as a "new major security hole in linux". Just as the limit on the number of processes running and the fact that anyone can force init to create new processes was discovered as "the fatal UNIX design flaw." (If you can't tell, I don't like them too much. he he) And, as Linux machines become desktop machines instead of server locked away in closets where physical access is more closely guarded, this security hole becomes more of a problem. What about the solution? Well, I have a few thoughts. One solution is to place a password on boot parameters in this /etc/lilo.conf file. However, this is annoying because it's not tied into the root password. But perhaps there is some way to tie it in. I've done this to secure systems. Another solution is to modify the mechanism that starts that root shell to actually call suroot like rc.sysinit does. I don't know if this in the kernel or some conf file; it's been a long time since I poked around there. But hey, the kernel can exec /sbin/sulogin just as easily as /bin/sh. You could even make it look for /sbin/singleusershell, then /bin/sh.. and just make /bin/singleusershell a symlink to /sbin/sulogin. This is nicely reverse compatible and customizable. I like it. (I posted this as a bug to the lilo package, because I could not think of a better package. Also, I think this is only an i386 problem because lilo is arch specific, but it might be on others. I simply don't know.)
Unfortunately, without a lilo password, you can do the exact same thing with 'linux init=/bin/bash'. Hence, fixing one without the other is sort of pointless, and we can't take the 'init' functionality out of lilo. We may look at passwording lilo in the future.
A line is missing in /etc/inittab of the RedHat distributions. If you add "~~:S:wait:/sbin/sulogin" on a line by itself in /etc/inittab, then you will be prompted for the root password when entering single mode.
Hum... I think you are right here, I forgot that the kernel still runs init when it enters single user mode. I'd really love to get this fix in the next Red Hat release. IMO, even though the init=/bin/bash backdoor still exists, getting ride of the single user mode boot backdoor makes the system more secure, because it is much more easy to stumble into. I.e. lots of people know about single user mode... it's a UNIX standard. And I'll bet more than a handful have booted to single user mode then thought "Hey! Why was I not prompted for a password!?" Less people probably have read the boot prompt HOWTO and remember the init= option.