Protecting against Single Mode

Protecting Against Single Mode

A few months back, I showed you a way to change a lost root password using
single mode. Boot using the command linux single, change the password,
reboot. It’s a pretty easy solution to what seems to be a daunting problem.

The issue raised, though, is how secure is single mode in Linux? It stands to
reason that anyone with physical access to your machine could simply reboot into

single mode and follow the same steps, potentially shutting you out of root
access on your own machine. Or worse yet, wreaking irreparable havoc via the
root account.

Today’s TWEAK will prevent exactly that horrible scenario, provided you’re using

LILO as your boot manager.

Open /etc/lilo.conf in your favorite text editor. Beneath the line in lilo.conf
that reads:

    root=/dev/hda2

add the following two lines:

    password=yourpassword
    restricted

Save the modified configuration file and execute /sbin/lilo to commit the
changes. The net effect is that anyone attempting to use single mode on your
machine will be required to enter the root password. If they had the password to

start with, they wouldn’t need to use single mode, would they?

You can (and should), of course, take this to another level by resetting the
permissions on the /etc/lilo.conf file:

    chmod 600 /etc/lilo.conf

This is a good idea regardless. Setting the permissions on the file to 600 means

that the user (owner) of /etc/lilo.conf has read and write permissions. Neither
the group nor the world can read or write to the file. Since /etc/lilo.conf is
created and owned by root by default, this simple permissions change should lock

out all other users from modifying your /etc/lilo.conf file and reading or
changing the newsly-added password line. You’ll need to perform all these
actions as root, by the way.

Now, don’t you feel just a bit safer?