Single-user mode -- huge security hole?

Single-user mode -- huge security hole?

Post by Mike Olive » Thu, 18 Oct 2001 11:46:16



I realized a while ago that--at least in my RH6.1/LILO setup,
which I think is fairly standard--someone with physical access
to the machine can take it over without knowing any passwords
at all.  Just type "linux 1" at the LILO prompt, and bingo,
you're root and can change the root password without knowing
the old one.

Now, I'm not entirely sure I *want* to change this; it could
come in handy if I ever change the root password and then
promptly forget it, which isn't impossible.  But do other
people have it set up so you can't do this?  What do you do?

I know of course that if someone has physical access to your
machine he can get your data *eventually* if it's not encrypted,
but I wouldn't think it's supposed to be this easy.

 
 
 

Single-user mode -- huge security hole?

Post by J Haywar » Thu, 18 Oct 2001 12:18:17


<snip...>

Quote:> Now, I'm not entirely sure I *want* to change this; it could
> come in handy if I ever change the root password and then
> promptly forget it, which isn't impossible.  But do other
> people have it set up so you can't do this?  What do you do?

<snip...>

One way to do it is to use either the "password" or "password" and
"restricted" together in your lilo.conf.

password=yourpasswordhere

This will prompt for a password when the machine is booted. Make sure if
you use this option you set the permissions on your lilo.conf file to allow
only the root user to view it.

"restricted" will only prompt for a password if options are used on the
command line when booting, i.e. if someone tries to boot: linux single.

Of course this won't help if you don't disable booting from a floppy disk.

Regards,
        Jim H
--
Visit the discussion board at:
http://www.getlinuxonline.com/cgi-bin/Discussion/YaBB.cgi

 
 
 

Single-user mode -- huge security hole?

Post by David Efflan » Thu, 18 Oct 2001 12:41:51



> I realized a while ago that--at least in my RH6.1/LILO setup,
> which I think is fairly standard--someone with physical access
> to the machine can take it over without knowing any passwords
> at all.  Just type "linux 1" at the LILO prompt, and bingo,
> you're root and can change the root password without knowing
> the old one.

> Now, I'm not entirely sure I *want* to change this; it could
> come in handy if I ever change the root password and then
> promptly forget it, which isn't impossible.  But do other
> people have it set up so you can't do this?  What do you do?

SuSE seems to do this by default.  When I had a disk problem and it
reverted to single mode read/only, I had to enter the root password.

Quote:> I know of course that if someone has physical access to your
> machine he can get your data *eventually* if it's not encrypted,
> but I wouldn't think it's supposed to be this easy.

Something else to consider, anybody can read anything on an ext2 partition
from explore2fs in Windows.

The only way to protect your box if someone has physical access (booting
from floppy or cdrom) is with BIOS password (if you have the box
restrained so they cannot get at the jumper to clear that).

--
David Efflandt - All spam is ignored - http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

 
 
 

Single-user mode -- huge security hole?

Post by Todd Knar » Thu, 18 Oct 2001 13:16:03



Quote:> I know of course that if someone has physical access to your
> machine he can get your data *eventually* if it's not encrypted,
> but I wouldn't think it's supposed to be this easy.

Why put a great deal more effort into it? If someone's got physical
access to the console and can reboot, they can pop a boot floppy or
CD in and boot from that, and completely bypass your single-user-mode
password. Linux simply omits the warm-fuzzy that might fool you into
thinking that you're safe from someone at the console just because
you set a password.

If you really want it secured, you'll need to:
1) Use the 'restrict' and 'password' options in lilo.conf to require
   a password before you can change boot-time options like runlevel.
2) Disable booting from floppies and/or CD-ROMs.
3) Remove any non-Linux partitions from LILO's boot menu.
4) Set the BIOS password on your computer so that nobody can enter the
   BIOS setup to change things without giving the password.
5) Physically secure the case so that nobody can open it without having
   a key. That includes opening it by prying the sides out of their slots
   with a screwdriver ( this requires a case with a significantly better
   design than anything you can buy at the local computer store ).
6) Keep that key in your physical possession at all times.

#1 alone will keep out the non-tech-savvy casual person ( which is probably
good enough to keep wandering fingers from messing things up ). You'll
need 3 or 4 to stop the neighbor's kid who's been using computers for a
few years and wants to find out what kinds of pictures you've got stashed
away. You'll need 5 and 6 to stop determined opponents ( and if you need
them, you should consider just going for encryption with keys on a
floppy normally kept elsewhere so that your data remains secure even if
someone gets root access to the box ).

--
There are mushrooms that can survive weeks, months without air or food. They
just dry out and when water comes back, they wake up again. And call the
helldesk about their password expiring.
                                -- Jens Benecke and Tanuki the Raccoon-dog

 
 
 

Single-user mode -- huge security hole?

Post by Floyd Davidso » Thu, 18 Oct 2001 12:57:34



>I realized a while ago that--at least in my RH6.1/LILO setup,
>which I think is fairly standard--someone with physical access
>to the machine can take it over without knowing any passwords
>at all.  Just type "linux 1" at the LILO prompt, and bingo,
>you're root and can change the root password without knowing
>the old one.

>Now, I'm not entirely sure I *want* to change this; it could
>come in handy if I ever change the root password and then
>promptly forget it, which isn't impossible.  But do other
>people have it set up so you can't do this?  What do you do?

>I know of course that if someone has physical access to your
>machine he can get your data *eventually* if it's not encrypted,
>but I wouldn't think it's supposed to be this easy.

If a 12 year old has physical access to your PC's motherboard...
(s)he can plug in the installation boot cd or floppy from almost
any Linux distribution and have total access to your system,
regardless of what OS you normally run, in the time it takes to
boot and then mount the harddrives.  (No time at all...)

You can of course try to lock the case to avoid access to the
motherboard, use a password on the motherboard bios
configuration, not allow the system to boot from anything other
than the desired hard disk, and not allow Linux to look for
keyboard input during the boot process.

In which case our cracker can only get into it by breaking the
lock.  (Unless you are connected to the Internet, in which case
anyone can probably get into it in a few minutes from the other
side of the world!)

--
Floyd L. Davidson         <http://www.ptialaska.net/~floyd>

 
 
 

Single-user mode -- huge security hole?

Post by Steve Lam » Thu, 18 Oct 2001 16:28:12



> I realized a while ago that--at least in my RH6.1/LILO setup, which I think
> is fairly standard--someone with physical access to the machine can take it
> over without knowing any passwords at all.  Just type "linux 1" at the LILO
> prompt, and bingo, you're root and can change the root password without
> knowing the old one.

    If someone has physical access to the machine there isn't much you can do
to prevent them from doing what they want.  Sure, people will suggest
different methods but in the final analysis what it all boils down to is if
someone has phsyical access, it's over.  

    At home I'm more worried about someone walking into my apartment than
logging on the console.  At work all the important machines are behind locked
doors in the DC which is, in turn, behind several other layers of locked areas
where the "lesser" workstations sit.

    IE, physical access is the first step, not the last.

--
         Steve C. Lamb         | I'm your priest, I'm your shrink, I'm your
         ICQ: 5107343          | main connection to the switchboard of souls.
    To email: Don't despair!   |  -- Lenny Nero, Strange Days
-------------------------------+---------------------------------------------

 
 
 

Single-user mode -- huge security hole?

Post by Bill Unr » Thu, 18 Oct 2001 18:05:09



]I realized a while ago that--at least in my RH6.1/LILO setup,
]which I think is fairly standard--someone with physical access
]to the machine can take it over without knowing any passwords
]at all.  Just type "linux 1" at the LILO prompt, and bingo,
]you're root and can change the root password without knowing
]the old one.

]Now, I'm not entirely sure I *want* to change this; it could
]come in handy if I ever change the root password and then
]promptly forget it, which isn't impossible.  But do other
]people have it set up so you can't do this?  What do you do?

man lilo.conf
password option

]I know of course that if someone has physical access to your
]machine he can get your data *eventually* if it's not encrypted,
]but I wouldn't think it's supposed to be this easy.

 
 
 

Single-user mode -- huge security hole?

Post by Peet Groble » Thu, 18 Oct 2001 18:23:14


I can still remove the harddrive if I have physical access to the machine.

Like Steve said, physically secure the machine. That's the first step. Lock
it up in a deep, dark place that no-one knows about.



writes:

> ]I realized a while ago that--at least in my RH6.1/LILO setup,
> ]which I think is fairly standard--someone with physical access
> ]to the machine can take it over without knowing any passwords
> ]at all.  Just type "linux 1" at the LILO prompt, and bingo,
> ]you're root and can change the root password without knowing
> ]the old one.

> ]Now, I'm not entirely sure I *want* to change this; it could
> ]come in handy if I ever change the root password and then
> ]promptly forget it, which isn't impossible.  But do other
> ]people have it set up so you can't do this?  What do you do?

> man lilo.conf
> password option

> ]I know of course that if someone has physical access to your
> ]machine he can get your data *eventually* if it's not encrypted,
> ]but I wouldn't think it's supposed to be this easy.

 
 
 

Single-user mode -- huge security hole?

Post by Dave Bro » Fri, 19 Oct 2001 01:52:19





><snip...>
>> Now, I'm not entirely sure I *want* to change this; it could
>> come in handy if I ever change the root password and then
>> promptly forget it, which isn't impossible.  But do other
>> people have it set up so you can't do this?  What do you do?

><snip...>

> One way to do it is to use either the "password" or "password" and
> "restricted" together in your lilo.conf.

> "restricted" will only prompt for a password if options are used on the
> command line when booting, i.e. if someone tries to boot: linux single.

> Of course this won't help if you don't disable booting from a floppy disk.

As other respondents have said "physical security" is necessary.  Putting
it another way: "Anyone with physical access is 'trusted'."

Along those lines, dual-booting is also a security hole (subject to a  
WinNT login passwd, if set).  Boot into a Win98 partition, copy a
kernel image and loadlin.exe from a diskette or CD, and you're into the
Linux machine.

--
Dave Brown  Austin, TX

 
 
 

Single-user mode -- huge security hole?

Post by Skylar Thomps » Thu, 18 Oct 2001 19:17:51


[snip]

Quote:>3) Remove any non-Linux partitions from LILO's boot menu.

This isn't strictly necessary for security; one could just assign a
password to non-Linux stuff as well.

[snip]

--

P(4.2.2) + "Skylar DXLIX" DMPo L:36 DL:2500' A++ R+++ Sp w:Stormbringer
A(JLE)*/P*/Z/J64/Ad L/O H+ D+ c f-/f PV+ s TT- d++/d+ P++ M/M+
C- S++ I+/I++ So B+ ac GHB++ SQ++ RQ+ V+ F:JLE F: Possessors strong again

 
 
 

Single-user mode -- huge security hole?

Post by Todd Knar » Fri, 19 Oct 2001 05:29:24



Quote:> This isn't strictly necessary for security; one could just assign a
> password to non-Linux stuff as well.

I think, as long as you don't add/change any options, you can select any
entry from the LILO boot menu without a password even in restricted mode.
If you can boot into Windows you can use programs there to read and write
ext2 filesystems as root, and I'd assume the same goes for OS/2 and other
OSes. Another suitably-protected OS would be OK, as long as you control
root on it and it enforces access controls on ext2 filesystems, but the
general case today is that the 'other OS' will probably be Windows with
it's casual attitude towards access control.

--
There are mushrooms that can survive weeks, months without air or food. They
just dry out and when water comes back, they wake up again. And call the
helldesk about their password expiring.
                                -- Jens Benecke and Tanuki the Raccoon-dog

 
 
 

Single-user mode -- huge security hole?

Post by Mike Olive » Fri, 19 Oct 2001 05:45:06



> As other respondents have said "physical security" is necessary.  Putting
> it another way: "Anyone with physical access is 'trusted'."

> Along those lines, dual-booting is also a security hole (subject to a
> WinNT login passwd, if set).  Boot into a Win98 partition, copy a
> kernel image and loadlin.exe from a diskette or CD, and you're into the
> Linux machine.

Well, all this is true philosophically, but there are practicalities
and there are different degrees of "physical access".  I'm not aware,
for example, of any straightforward way that someone who can get to your
machine for five minutes only can compromise a WinNT installation
without your noticing.  If you reinstall WinNT over an existing installation,
you might be able to change the Administrator password without otherwise
altering the setup (not sure about this, haven't tried) but it's not
something you can do while you slip away from a tour.

But if I can boot into single-user mode in Linux, five minutes is enough
time for me to create an account for myself and add that account to
all groups, then look over the machine remotely later, con calma.
If this were done to my machine, it's quite likely that I wouldn't
notice the new account for quite some time.

I am absolutely *not* making a "Windows-better-than-Linux" point
here.  I'm just pointing out that the fact that a countermeasure
can be defeated in principle is not a good excuse for not
taking it.

 
 
 

Single-user mode -- huge security hole?

Post by Mike Olive » Fri, 19 Oct 2001 06:18:10



> I can still remove the harddrive if I have physical access
> to the machine.

Suppose you have five minutes of physical access.  Can you remove
the hard drive, do your nefarious doings to it and put it back,
all without me noticing?
 
 
 

Single-user mode -- huge security hole?

Post by Vilmos Sot » Fri, 19 Oct 2001 06:32:58



>> I can still remove the harddrive if I have physical access
>> to the machine.

> Suppose you have five minutes of physical access.  Can you remove
> the hard drive, do your nefarious doings to it and put it back,
> all without me noticing?

And what about password protecting lilo?

Vilmos

 
 
 

Single-user mode -- huge security hole?

Post by Lloyd Sumpte » Fri, 19 Oct 2001 07:26:37


Anyone with physical access to your machine has access. To "sneak" in,
he just has to have a Linux-on-a-floppy, boot from the floppy, and mount
your HD. Or, if he wants to be malicious, he can access your CMOS
settings and totally*everything up.

   So - security means don't let untrusted individuals access your
computer physically.

Lloyd



> I realized a while ago that--at least in my RH6.1/LILO setup, which I
> think is fairly standard--someone with physical access to the machine
> can take it over without knowing any passwords at all.  Just type "linux
> 1" at the LILO prompt, and bingo, you're root and can change the root
> password without knowing the old one.

> Now, I'm not entirely sure I *want* to change this; it could come in
> handy if I ever change the root password and then promptly forget it,
> which isn't impossible.  But do other people have it set up so you can't
> do this?  What do you do?

> I know of course that if someone has physical access to your machine he
> can get your data *eventually* if it's not encrypted, but I wouldn't
> think it's supposed to be this easy.