From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bradley Hook Subject: Re: Root Permissions Date: Fri, 02 Jul 2004 13:27:05 -0500 Sender: linux-admin-owner@vger.kernel.org Message-ID: <40E5A8F9.6060204@kssb.net> References: <20040701050425.GA7890@cmi.ac.in> <17daa85604063022341453892a@mail.gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <17daa85604063022341453892a@mail.gmail.com> List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: linux-admin@vger.kernel.org Even with a LILO password, it's still rather easy to bypass. You can easily stick in a bootable CD and get into the machine without a password (I've done this for recovery more than once). And a BIOS password is just another bump in the road for anyone wanting to hack a machine, takes 30 seconds and a screwdriver to get around that (unless the case has thumb screws, then just 30 seconds). Basically, if someone has physical access to the machine, there will always be a way to get access. You can keep your data fairly safe with an encrypted filesystem, but the machine has to boot from something, so there is always something that can be compromised. Also, there's a project called tripwire that you can use to detect changes to your system. Encrypt the verification files that this program generates, or store them somewhere other than the local system's hdd. It's also not a bad idea to keep very sensitive files (like your private encryption keys) on some kind of removable media; a usb thumb drive or similar would do the trick. ~Brad Ahsan Ali wrote: > Hello Anindya, > > The only surefire way of recovering from this is to rebuild the > machines from scratch. He could have installed several backdoors into > the system and no matter how many you find (if any) there will almost > certainly be more. > > In fact, replacing netstat, ps etc with modified binaries which are > standard with "root-kits" he pretty much guarantees that you will not > even be able to see the process(es) that he installed that listen on > some other port for incoming connections. > > So... if I were in your place, I would most certainly rebuild from scratch. > > And oh... use a LILO password. > > All you need to add are two lines: > > password= > restricted > > to the LILO global config section in /etc/lilo.conf. The restricted > keyword will allow normal boot but will prompt you for the password > specified if you attempt to pass lilo any parameters at bootup. > > Be sure to run lilo after making changes to /etc/lilo.conf, also since > the password is in clear text, make sure lilo.conf is not readable by > anyone except root. > > chmod 600 /etc/lilo.conf > > Regards, > > Ahsan Ali > > On Thu, 1 Jul 2004 10:34:25 +0530, Anindya Mozumdar wrote: > >>Hi, >> The following problem may be trivial to some of you, however my >> knowledge of linux is limited, and I dont understand how can it be >> done. >> In our institute, we use Debian Linux, and the boot loader is lilo. >> For those machines where the lilo password is not set, ANY ONE can >> get a root shell by simply interrupting the boot process and typing >> linux init=/bin/sh in the boot prompt. >> One of my friends obtained a root shell in this manner, and has >> either made some changes, or set up some program, by which he can >> become root any time, without acutally knowing the root password, >> which is known only to our system administrator. What may be the >> possible things he has done to setup his program, and how can it be >> reversed ? >> Thanks in advance. >>Anindya Mozumdar. >>- >>To unsubscribe from this list: send the line "unsubscribe linux-admin" in >>the body of a message to majordomo@vger.kernel.org >>More majordomo info at http://vger.kernel.org/majordomo-info.html >> > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >