Protecting Against Single Mode
A few months back, I showed you a way to change a lost root password using
single mode. Boot using the command linux single, change the password,
reboot. It’s a pretty easy solution to what seems to be a daunting problem.
The issue raised, though, is how secure is single mode in Linux? It stands to
reason that anyone with physical access to your machine could simply reboot into
single mode and follow the same steps, potentially shutting you out of root
access on your own machine. Or worse yet, wreaking irreparable havoc via the
Today’s TWEAK will prevent exactly that horrible scenario, provided you’re using
LILO as your boot manager.
Open /etc/lilo.conf in your favorite text editor. Beneath the line in lilo.conf
add the following two lines:
Save the modified configuration file and execute /sbin/lilo to commit the
changes. The net effect is that anyone attempting to use single mode on your
machine will be required to enter the root password. If they had the password to
start with, they wouldn’t need to use single mode, would they?
You can (and should), of course, take this to another level by resetting the
permissions on the /etc/lilo.conf file:
chmod 600 /etc/lilo.conf
This is a good idea regardless. Setting the permissions on the file to 600 means
that the user (owner) of /etc/lilo.conf has read and write permissions. Neither
the group nor the world can read or write to the file. Since /etc/lilo.conf is
created and owned by root by default, this simple permissions change should lock
out all other users from modifying your /etc/lilo.conf file and reading or
changing the newsly-added password line. You’ll need to perform all these
actions as root, by the way.
Now, don’t you feel just a bit safer?