Re: Root Permissions

[Bradley Hook <bhook@kssb.net>]

Even with a LILO password, it's still rather easy to bypass. You can 
easily stick in a bootable CD and get into the machine without a 
password (I've done this for recovery more than once). And a BIOS 
password is just another bump in the road for anyone wanting to hack a 
machine, takes 30 seconds and a screwdriver to get around that (unless 
the case has thumb screws, then just 30 seconds). Basically, if someone 
has physical access to the machine, there will always be a way to get 
access. You can keep your data fairly safe with an encrypted filesystem, 
but the machine has to boot from something, so there is always something 
that can be compromised.

Also, there's a project called tripwire that you can use to detect 
changes to your system. Encrypt the verification files that this program 
generates, or store them somewhere other than the local system's hdd. 
It's also not a bad idea to keep very sensitive files (like your private 
encryption keys) on some kind of removable media; a usb thumb drive or 
similar would do the trick.

~Brad

Ahsan Ali wrote:
> Hello Anindya,
> 
> The only surefire way of recovering from this is to rebuild the
> machines from scratch. He could have installed several backdoors into
> the system and no matter how many you find (if any) there will almost
> certainly be more.
> 
> In fact, replacing netstat, ps etc with modified binaries which are
> standard with "root-kits" he pretty much guarantees that you will not
> even be able to see the process(es) that he installed that listen on
> some other port for incoming connections.
> 
> So... if I were in your place, I would most certainly rebuild from scratch.
> 
> And oh... use a LILO password.
> 
> All you need to add are two lines:
> 
> password=<password>
> restricted
> 
> to the LILO global config section in /etc/lilo.conf. The restricted
> keyword will allow normal boot but will prompt you for the password
> specified if you attempt to pass lilo any parameters at bootup.
> 
> Be sure to run lilo after making changes to /etc/lilo.conf, also since
> the password is in clear text, make sure lilo.conf is not readable by
> anyone except root.
> 
> chmod 600  /etc/lilo.conf
> 
> Regards,
> 
> Ahsan Ali
> 
> On Thu, 1 Jul 2004 10:34:25 +0530, Anindya Mozumdar <anindya@cmi.ac.in> wrote:
> 
>>Hi,
>>   The following problem may be trivial to some of you, however my
>>   knowledge of linux is limited, and I dont understand how can it be
>>   done.
>>   In our institute, we use Debian Linux, and the boot loader is lilo.
>>   For those machines where the lilo password is not set, ANY ONE can
>>   get a root shell by simply interrupting the boot process and typing
>>   linux init=/bin/sh in the boot prompt.
>>   One of my friends obtained a root shell in this manner, and has
>>   either made some changes, or set up some program, by which he can
>>   become root any time, without acutally knowing the root password,
>>   which is known only to our system administrator. What may be the
>>   possible things he has done to setup his program, and how can it be
>>   reversed ?
>>   Thanks in advance.
>>Anindya Mozumdar.
>>-
>>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>>the body of a message to majordomo@vger.kernel.org
>>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>