Re: ***HUGE*** security hole??!! (Re: Lost root passwd)
On Sat, 10 Oct 1998, Norbert Nemec wrote:
> On Sat, 10 Oct 1998 10:42:52 +0100, Ralf G. R. Bergs wrote:
>
> >On Sat, 10 Oct 1998 00:52:49 -0700 (PDT), George Bonser wrote:
> >
> >[...]
> >>ALlow me to translate. Boot the rescue disk as if you are installing,
> >[whole story deleted]
> >
> >Hey guys, why so complicated???
> >
> >What's wrong with giving LILO a kernel command line of "init=/bin/sh"? This way
> >you boot straight into sh, and you can then change the root password.
> >
> >This is how I usually do it under Slackware, and even tho Debian uses shadow
> >passwords it should work the same way.
>
>
> Ouch, I tried it, it really works!!!! That means on a standard
> Linux-machine, everybody could just switch off the power, give the
> LILO-kernel option on reboot and be root??!! Why not simply drop the
> need of a login password?
>
see 'man lilo.conf' re: "restricted" and "password"
i.e.:
[lilo.conf]
boot=/dev/hda
install=/boot/boot.b
map=/boot/map
compact
vga=5
delay=100
default=Linux
image=/vmlinuz
label=Linux
root=/dev/hdc1
read-only
password=poiu
restricted
image=/vmlinuz.old
label=oldlinux
root=/dev/hdc1
optional
read-only
other=/dev/hda1
label=Win
loader=/boot/chain.b
table=/dev/hda
[end]
Michael Beattie (mickyb@es.co.nz)
PGP Key available, reply with "pgpkey" as subject.
-----------------------------------------------------------------------------
"Game over, man! GAME OVER!!!"
-----------------------------------------------------------------------------
Debian GNU/Linux.... Ooohh You are missing out!
Reply to: