Hi Harsh,
To prevent any unauthorised user from booting Linux into single user mode you could add the following lines to /etc/lilo.conf:
restricted
requires a password to be used if boot time options (such as "linux single") are passed to the boot loader. Make sure you use this one on each image (otherwise the server will need a password to boot, which is fine if you're never planning to remotely reboot it).
password=
requires user to input a password, used in conjunction with restricted, also make sure lilo.conf is no longer world readable, or any user will be able to read the password.
Here is an example of lilo.conf taken from Kurt Seifried's Linux Administrator's Security Guide:
boot=/dev/hda map=/boot/map install=/boot/boot.b prompt timeout=100 default=linux image=/boot/vmlinuz-2.2.5 label=linux root=/dev/hda1 read-only restricted password=s0m3_pAsSw0rD_h3r3
This boots the system using the /boot/vmlinuz-2.2.5 kernel, stored on the first portion (right after the MBR) of the first IDE harddrive of the system, the prompt keyword would normally stop unattended rebooting, however it is set in the image, so it can boot "linux" no problem, but it would ask for a password if you entered "linux single", so if you want to go into "linux single" you have 10 seconds to type it in, at which point you would be prompted for the password ("s0m3_pAsSw0rD_h3r3").
One minor security measure you can take to secure the lilo.conf file is to set it immutable, using the "chattr" command. To set the file immutable simply:
chattr +i /sbin/lilo.conf
and this will prevent any changes (accidental or otherwise) to the lilo.conf file. If you wish to modify the lilo.conf file you will need to unset the immutable flag:
chattr -i /sbin/lilo.conf
only the root user has access to the immutable flag.
For further information and clarifiction read the Linux Administrator's Security Guide(LASG) by Kurt Seifried. The LASG is available at: http://www.securityportal.com/lasg/
Bye,
Kapil Karekar
----- Original Message ----- From: Harsh R Busa To: linuxers@mm.ilug-bom.org.in Sent: Friday, August 23, 2002 1:45 AM Subject: [ILUG-BOM] disabling linux single
plz enlighten me about disabling linux single feature of lilo in most redhat systems
thanx harsh