Securing LILO (on and on and on...) (was: Re: [Techtalk] My X display is fubar)

Conor Daly conor.daly at oceanfree.net
Wed Jun 5 23:06:47 EST 2002 

On Tue, Jun 04, 2002 at 08:07:19PM +0100 or so it is rumoured hereabouts, 
/dev/null thought:
> this is also how i've done it in the past, on mandrake 7.x distros,
> 
> LILO:  linux single root=/dev/sdd1
> (or wherever your linux mount point is...)
> 
> this should get you as far as a root-only command prompt... but of 
> course this doesnt help at all if LILO has failed... or with grub and 
> these graphical displays that Mandrake 8.x defaults to...
 
There was a thread on the subject of the Mandrake "Aurora" graphical "hide
you boot process" screen and how to turn that off.  it was on May 10th

"Subject: Re: [Techtalk] Getting rid of Aurora (was why is my kernel so big???)
Date: Fri, 10 May 2002 11:55:59 -0400

Hey there,

I've had this issue on many an occasion.... the icky Aurora screen.

Open up your Mandrake Control Center, open up Boot... this will give you 3
options. Boot Disk, Boot Config and Auto Install.  Choose Boot Config and
there's a handy dandy little button to turn off Aurora on startup!

If you unselect it, log off, and restart, you will get the standard text
boot.

Hope that takes care of it for you!
(I wish I had always on internet, then I could look up the reference to
the archives...)

> a good reminder to me to switch my bootloader to LILO text mode on my 
> next boot up instead of that annoying but pretty graphical mode....
 
> but does anyone know how to get around this with grub or how to get out 
> of graphical bootup once its runnning?... i guess a rescue disk would do 
> it (not having had to try so far, touch wood, i dont know...)

Once lilo or grub has done its stuff and the kernel is actually booting,
the only thing you can do is <CTRL><ALT><DEL> to reboot (it's usually a
graceful reboot so you don't need worry about bad shutdowns).

Note that the above gives whoever types it root access on your machine.
This might _not_ be what you want!  You can, however, restrict such stuff
with a lilo password.  It goes like this...

# /etc/lilo.conf

boot=/dev/hda
map=/boot/map
install=/boot/boot.b
compact
prompt
timeout=50
linear

#################
password=SECRET
#################

vga=0xf07
message=/boot/message
default=Redhat-70

# image section
image=/boot/vmlinuz-2.2.16-22
	label=Redhat-70
	read-only
	root=/dev/hda1
	append="mem=127m"

###################
	restricted
###################
# end image section

# end /etc/lilo.conf

Note the two keywords "password" and "restricted"

from 'man lilo.conf'

       restricted
              A password is only required to boot  the  image  if
              parameters  are specified on the command line (e.g.
              single).

so, if I type "linux songle" at the LILO prompt, I must supply the correct
password before it will work.  note that the password is in plaintext in
/etc/lilo.conf so you either want to "chmod 600" it or remove the password
after you install it.

As for grub, you can enter a command shell at grub time and enter the
required parameter there.  I've only used grub a little so I'm not
familiar with all of the commands or anything.  Anytime I've played with
it, I've had to retype grub's equivalent of a lilo.conf along with the
extra parameters I wanted but I'm sure there's a better way.  In fact,
having poked around in "info grub" it seems there is an "edit" option at
the grub menu.  You should be able to edit the "kernel" line to specify
the runlevel.  OK, /etc/grub.conf looks like this:

# /etc/grub.conf

default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
password --md5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
title Red Hat Linux (K6-2)
	root (hd0,0)
	kernel /boot/vmlinuz-2.4.7-10-amd-K6-2 ro root=/dev/hda1 mem=127M vga=0xf07
	initrd /boot/initrd-2.4.7-10.img
	uppermem 130048

# end /etc/grub.conf

Note the "password" entry.  This secures the grub menu so you must enter a
password before you can do anything pther than choose which menu entry to
boot.  This is the equivalent of "password" and "restricted" in LILO.
Note also that the password given is the MD5 hash of the actual password
(but only if you specify "--md5" in the line, otherwise you can give it in
cleartext).  To generate the md5 hash, do:

/sbin/grub
grub> md5crypt 

Password: *******
Encrypted: $1$zV04K/$liDg2xBicUTUD94DKBfIs/

grub> 

Copy the resulting hash into the password line in /etc/grub.conf and
you're password protected!

Next, there's the "kernel" line.  If you compare it with the "image"
section from lilo.conf above, you'll find it contains pretty much the same
options but all on one line.  To boot to runlevel 3 instead of 5 (the
default in /etc/inittab) you need to do the following...

At the grub menu, type 'e' to edit an entry.  You'll be asked for the
password (you _did_ set one didn't you?).
Use arrow keys (or something) to get to the "kernel" line where you should
be able to add a "3" as a kernel option.
<ENTER> to save the change (for this session only AIUI)
'b' to boot (or something)

Anyway, don't forget to secure your bootloader.  there's no point in
having a nice strong root password if someone can walk up to the machine
and boot to a root session.  (I _know_ that anyone at the console pretty
much owns the machine but this still protects you from most casual
attack.)

Conor (Who's supposed to be doing something else...)
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
 10:13pm  up 13 days,  7:31,  0 users,  load average: 0.16, 0.03, 0.01
Hobbiton.cod.ie
 10:15pm  up 13 days,  7:36,  2 users,  load average: 0.42, 0.13, 0.03

More information about the Techtalk mailing list