User Tools

Site Tools


security:seclilo

SECURING LILO BOOT MANAGER

A user with physical access to a Linux system using the LILO bootloader can use an inadeuqately secured LILO to boot into single-user mode, gaining root access to the machine, or to otherwise pass options to the booting kernel that will result in a vulnerable system.

Configuration explanations

You can prevent this by causing LILO to prompt for a password before booting a kernel image by specifying options in the /etc/lilo.conf configuration file.

As top-level (global) options:

  • password=[password] will cause LILO to associate a password with booting any kernel image.
  • mandatory will cause LILO to always prompt for an associated password when booting a kernel image.
  • restricted will cause LILO to prompt for an associated password only if kernel parameters are specified to be passed to the booting kernel (such as single to boot into single user mode).

As second-level (image) options to a kernel image image= declaration

  • password=[password] will cause LILO to associate a password with booting the kernel image for which it is given as an option.
  • mandatory will cause LILO to always prompt for a password when booting the kernel image for which it is given as an option.
  • restricted will cause LILO to prompt for a password when booting the kernel image for which it is given as an option, only if kernel parameters are specified to be passed to the booting kernel (such as single to boot into single user mode).
  • bypass will cause LILO to bypass prompting for a password when booting the kernel image for which it is given as an option.

It should be taken into consideration, however, that you will be unable to reboot the system remotely into a kernel image for which the mandatory option is specified, unless someone is on hand to enter the password LILO will prompt for. For this reason, if remotely rebooting the machine is important, the restricted option should be given instead for any kernel image for which you wish to reboot remotely. A user with physical access to the system will be able to boot the restricted kernel image, but will be unable to pass kernel parameters to the booting kernel, such as to cause the system to boot into single user mode.

Alternatively, you may remove the prompt top-level option to prevent the user from being prompted for the selection of the kernel to boot, or to pass kernel parameters to the booting kernel.

Example: To prevent users with physical access from booting into single user mode or otherwise from passing potentially insecure kernel parameters to the booting kernel:

  • Include password=[password] as a top level option in /etc/lilo.conf.
  • Include restricted as a top level option in /etc/lilo.conf

Ensure that /etc/lilo.conf is readable only by the root user. Otherwise, non-root users would be able to discover by the boot password. Executing

chmod 600 /etc/lilo.conf

should set permissions appropriate for your distribution, if they are not already set correctly. To update LILO, execute /sbin/lilo. If you are uncertain whether you have configured everything properly, be sure that you have access to a boot disk before rebooting your system to test your secure configuration. The way to get into a unprotected system: apply the boot params “init=/bin/bash rw” ie if you use lilo, and your image is “linux” try

linux init=/bin/bash rw

this should drop you to a root shell. just edit your passwd file.

Because the configuration file /etc/lilo.conf now contains unencrypted passwords, it should only be readable for the super-user root.

[root@deep] # chmod 600 /etc/lilo.conf

Now we must update our configuration file /etc/lilo.conf for the change to take effect.

[root@deep] # /sbin/lilo -v 

One more security measure you can take to secure the lilo.conf file is to set it immutable, using the chattr command. To set the file immutable simply, use the command:

[root@deep] # chattr +i /etc/lilo.conf

And this will prevent any changes accidental or otherwise to the lilo.conf file. If you wish to modify the lilo.conf file you will need to unset the immutable flag: To unset the immutable flag, use the command:

[root@deep] # chattr -i /etc/lilo.conf

security/seclilo.txt · Last modified: 2013/03/16 17:41 (external edit)