To prevent any unauthorised user from booting Linux into single user
mode you could add the following lines to /etc/lilo.conf:
requires a password to be used if boot time options (such as "linux single")
are passed to the boot loader. Make sure you use this one on each image
(otherwise the server will need a password to boot, which is fine if you're
never planning to remotely reboot it).
requires user to input a password, used in conjunction with restricted, also
make sure lilo.conf is no longer world readable, or any user will be able to
read the password.
Here is an example of lilo.conf taken from Kurt Seifried's Linux
Administrator's Security Guide:
This boots the system using the /boot/vmlinuz-2.2.5 kernel, stored on the
first portion (right after the MBR) of the first IDE harddrive of the
system, the prompt keyword would normally stop unattended rebooting, however
it is set in the image, so it can boot "linux" no problem, but it would ask
for a password if you entered "linux single", so if you want to go into
"linux single" you have 10 seconds to type it in, at which point you would
be prompted for the password ("s0m3_pAsSw0rD_h3r3").
One minor security measure you can take to secure the lilo.conf file is to
set it immutable, using the "chattr" command. To set the file immutable
chattr +i /sbin/lilo.conf
and this will prevent any changes (accidental or otherwise) to the lilo.conf
file. If you wish to modify the lilo.conf file you will need to unset the
chattr -i /sbin/lilo.conf
only the root user has access to the immutable flag.
For further information and clarifiction read the Linux Administrator's
Security Guide(LASG) by Kurt Seifried.
The LASG is available at: http://www.securityportal.com/lasg/
----- Original Message -----
From: Harsh R Busa
Sent: Friday, August 23, 2002 1:45 AM
Subject: [ILUG-BOM] disabling linux single
plz enlighten me about disabling linux single feature of lilo in most redhat