Locking down lilo / lilo.conf

Locking down lilo / lilo.conf

Post by Brian Gree » Tue, 25 Jul 2000 04:00:00



What would be the best way to lock down lilo so that no one can pass
parameters to the kernel from there?

I have tried delay=0 and have tried restricted it, but you seem to always be
able to enter something like :

linux 1

After doing that, it takes you straight into 1-user mode, without any
password prompt. Any good advice on this?

Brian.

 
 
 

Locking down lilo / lilo.conf

Post by Cedric Blanche » Tue, 25 Jul 2000 04:00:00




Quote:> What would be the best way to lock down lilo so that no one can pass
> parameters to the kernel from there?

> I have tried delay=0 and have tried restricted it, but you seem to always
be
> able to enter something like :

> linux 1

> After doing that, it takes you straight into 1-user mode, without any
> password prompt. Any good advice on this?

I think you should also specify a password wi?th password= in your
/etc/lilo.conf.

 
 
 

Locking down lilo / lilo.conf

Post by Brian Gree » Tue, 25 Jul 2000 04:00:00



Quote:>I think you should also specify a password wigth password= in your
>/etc/lilo.conf.

Tried it. It seems to have absolutely no effect at all, regardless of where I
put it in the lilo.conf file.

Brian.

 
 
 

Locking down lilo / lilo.conf

Post by gu.. » Tue, 25 Jul 2000 04:00:00




>>I think you should also specify a password wigth password= in your
>>/etc/lilo.conf.

>Tried it. It seems to have absolutely no effect at all, regardless of where I
>put it in the lilo.conf file.

>Brian.

you must run lilo after you make changes to the lilo.conf file, in order
for those changes to take effect.

you might want to try setting a password and making it restricted,
(man 5 lilo.conf).  that way you'll only be prompted for a password
if you try pass options to the kernel while booting.

--
Science is what you know.  Philosophy is what you don't know.
 -Bertrand Russell (1872-1970)

 
 
 

Locking down lilo / lilo.conf

Post by The Contac » Tue, 25 Jul 2000 04:00:00



> Tried it. It seems to have absolutely no effect at all, regardless of where I
> put it in the lilo.conf file.

Place in your lilo.conf:

restricted
password=MyPasSworD

Also, do a 'chmod 600 /etc/lilo.conf' so regular users can't read your
password. Then, run '/sbin/lilo'.
I think that 'password=MyPasSworD' without 'restricted' only applies
when the parameter 'single' is used, so '1' would be a circumvention
around it. With 'restricted' it asks a password whenever a parameter is
given.

Try and keep us posted,
--
The Contact
"Knowing everything is impossible. Trying to is not."

 
 
 

Locking down lilo / lilo.conf

Post by Brian Gree » Tue, 25 Jul 2000 04:00:00


Thanks for all of the help.

I am ashamed to admit that at least part of the problem was that I wasn't running
lilo... After doing that, and adding in that restricted line, everything
has been wonderful.

Thanks again...

It is shameful to forget the fundamentals...

 
 
 

Locking down lilo / lilo.conf

Post by elle.. » Tue, 25 Jul 2000 04:00:00



> I am ashamed to admit that at least part of the problem was that I wasn't running
> lilo... After doing that, and adding in that restricted line, everything
> has been wonderful.

You should also bear in mind though, that bypassing lilo is
trivial. The situation is analagous to privacy locks often installed
on bedroom and bathroom doors. It'll keep your roomate from accidently
walking in, but not from using a screwdriver and bypassing the
lock. Similarly, a lilo password will stop kids, roomates, whoever
from accidently breaking things, but won't help at all against anyone
dedicated enough to boot from another disk.

--

 
 
 

Locking down lilo / lilo.conf

Post by Tim Moor » Tue, 25 Jul 2000 04:00:00


In addition in BIOS you might want to disable all boot devices but your
primary boot drive and set a password on changing BIOS params.  Most modern
boards can do this.

An intruder would have to have to get physical access to your motherboard at
that point.  Still, it's only a little better than the bedroom lock.

Quote:> You should also bear in mind though, that bypassing lilo is
> trivial. The situation is analagous to privacy locks often installed
> on bedroom and bathroom doors. It'll keep your roomate from accidently
> walking in, but not from using a screwdriver and bypassing the
> lock. Similarly, a lilo password will stop kids, roomates, whoever
> from accidently breaking things, but won't help at all against anyone
> dedicated enough to boot from another disk.

--
timothymoore
   bigfoot
     com
 
 
 

Locking down lilo / lilo.conf

Post by Leander Jansse » Sat, 29 Jul 2000 04:00:00


in lilo.conf :

timeout=00
restricted
password=<password>

make sure nobody can read the lilo.conf file :

chmod 400 lilo.conf

Leander


> What would be the best way to lock down lilo so that no one can pass
> parameters to the kernel from there?

> I have tried delay=0 and have tried restricted it, but you seem to always
be
> able to enter something like :

> linux 1

> After doing that, it takes you straight into 1-user mode, without any
> password prompt. Any good advice on this?

> Brian.

 
 
 

Locking down lilo / lilo.conf

Post by Troutm » Sat, 29 Jul 2000 04:00:00



Quote:>in lilo.conf :

>timeout=00
>restricted
>password=<password>

>make sure nobody can read the lilo.conf file :

>chmod 400 lilo.conf

Also, the password can be read in the map file (strings /boot/map) but
typically it is read only by root as well.

--
___________________________________________

    Mike Troutman
         http://www.troutman.org

 
 
 

1. lilo.conf and lilo.conf~

Hi,

I wonder if anyone knows what's going on.  I've upgraded my kernel to a
newer one, and I went to change my /etc/lilo.conf file to get it to boot
into it correctly.  So far so good, the online documentation was fine.

So now I had Windows, the older kernel and the newer kernel as options.  So
far so good.

Then I decided to delete the older kernel.  I deleted any of the files that
had anything related to the older kernel from /boot.  I then changed
lilo.conf to remove the entry for the older kernel aswell.

I restart my computer and I get the exact same boot options - Windows,
Older kernel and new kernel.

After a bit of digging, I found there was a different file called
/etc/lilo.conf~ which had my old settings to boot.  So this file was
probably the one it was using to choose my boot options.  Why is that?

Also, it's weird because this old lilo.conf~ file which has the old kernel
still as an option runs fine.

image="/boot/vmlinuz-2.4.2-2"
        label="linux"
        read-only
        root="/dev/hda4"

When I select "linux" from Lilo, it boots into Linux fine, even there is no
"/boot/vmlinuz-2.4.2-1", (not even a hidden file of that name).

Here's a copy of linux.conf~ file in all its entirity:

boot="/dev/hda"
map=/boot/map
install=/boot/boot.b
prompt
timeout="50"
message=/boot/message
lba32
default=Windows

image="/boot/vmlinuz-2.4.2-2"
        label="linux"
        read-only
        root="/dev/hda4"

other=/dev/hda1
        optional
        label=Windows

image="/boot/vmlinuz-2.4.3-12"
        label="LinuxNew"
        root="/dev/hda4"
        read-only

(the linux.conf file is the same, just without the /boot/vmlinuz-2.4.2-2
image).

Any help appreciated,

Michael

2. Thinkpad A20p

3. lilo can't find /etc/lilo.conf, even though it's there

4. "Sem emprego? Procura uma solu??o?" DĂȘ um clique aqui!

5. lilo.conf ignored by lilo at boot time

6. smbclient not installed ..?

7. Does LILO use any other configuration file besides lilo.conf?

8. Issues with NFS . RPC trying to use reserved port .

9. LILO/lilo.conf question?

10. LILO - Can I add a command line argument to /etc/lilo.conf?

11. LILO not reading LILO.CONF

12. Lilo bombs on append line in lilo.conf

13. Sample lilo.conf to solve the LILO stops at LI problem