A user with physical access to a Linux system using the LILO bootloader can use an inadeuqately secured LILO to boot into single-user mode, gaining root access to the machine, or to otherwise pass options to the booting kernel that will result in a vulnerable system.
You can prevent this by causing LILO to prompt for a password before booting a kernel image by specifying options in the /etc/lilo.conf configuration file.
As top-level (global) options:
As second-level (image) options to a kernel image image= declaration
It should be taken into consideration, however, that you will be unable to reboot the system remotely into a kernel image for which the mandatory option is specified, unless someone is on hand to enter the password LILO will prompt for. For this reason, if remotely rebooting the machine is important, the restricted option should be given instead for any kernel image for which you wish to reboot remotely. A user with physical access to the system will be able to boot the restricted kernel image, but will be unable to pass kernel parameters to the booting kernel, such as to cause the system to boot into single user mode.
Alternatively, you may remove the prompt top-level option to prevent the user from being prompted for the selection of the kernel to boot, or to pass kernel parameters to the booting kernel.
Example: To prevent users with physical access from booting into single user mode or otherwise from passing potentially insecure kernel parameters to the booting kernel:
Ensure that /etc/lilo.conf is readable only by the root user. Otherwise, non-root users would be able to discover by the boot password. Executing
chmod 600 /etc/lilo.conf
should set permissions appropriate for your distribution, if they are not already set correctly. To update LILO, execute /sbin/lilo. If you are uncertain whether you have configured everything properly, be sure that you have access to a boot disk before rebooting your system to test your secure configuration. The way to get into a unprotected system: apply the boot params “init=/bin/bash rw” ie if you use lilo, and your image is “linux” try
linux init=/bin/bash rw
this should drop you to a root shell. just edit your passwd file.
Because the configuration file /etc/lilo.conf now contains unencrypted passwords, it should only be readable for the super-user root.
[root@deep] # chmod 600 /etc/lilo.conf
Now we must update our configuration file /etc/lilo.conf for the change to take effect.
[root@deep] # /sbin/lilo -v
One more security measure you can take to secure the lilo.conf file is to set it immutable, using the chattr command. To set the file immutable simply, use the command:
[root@deep] # chattr +i /etc/lilo.conf
And this will prevent any changes accidental or otherwise to the lilo.conf file. If you wish to modify the lilo.conf file you will need to unset the immutable flag: To unset the immutable flag, use the command:
[root@deep] # chattr -i /etc/lilo.conf