This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 7840 - when swithing to init 1, system is not protected by root password
when swithing to init 1, system is not protected by root password
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: initscripts (Show other bugs)
6.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-12-16 07:53 EST by Q Enterix
Modified: 2014-03-16 22:11 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-12-16 12:00:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Q Enterix 1999-12-16 07:53:50 EST
When switching to init 1 (single user mode), system automaticly logs in as
root. There is no password protection at this level. This is a security
problem especially with console access and Ctrl+Alt+Del enabled: typing
"LILO: linux 1" will give full root access.
Comment 1 Bill Nottingham 1999-12-16 12:00:59 EST
So will, among other things, 'linux init=/bin/bash'. Without
disabling command-line arguments completely in LILO, there's
no point in making single user-mode ask for a password.
Comment 2 Riley H Williams 1999-12-16 19:15:59 EST
There is actually a fairly simple fix for this problem, which I have put in
every Linux installation I've done:

 1. Run the following command:

        chmod 0600 /etc/lilo.conf

 2. Put the following two lines at the top of /etc/lilo.conf (at least, in
    the global section thereof):

        password=PASSWORD
        restricted

    Replace PASSWORD with whatever password you require, in plaintext.
    Note that whitespace is NOT permitted in the password.

 3. Make sure that the default runlevel in /etc/inittab is NOT level 1.

 4. Run lilo to install those changes.

Following the above, anybody wishing to add ANY parameters to the command line
will need to type in the specified password before LILO will permit their use.
The password has to be in plaintext here for some reason, hence the requirement
to set mode 0600 on /etc/lilo.conf first.

Personally, I'd like to see this as the default in RedHat. Any chance of that?

Note You need to log in before you can comment on or make changes to this bug.