Steve
Newsgroup replies preferred. Remove nospam when replying thru email.
>I have a machine running Redhat, and have an issue with people being
>able to use LINUX SINGLE to get into the system and change the root
>password. I'm aware this machine should be in a more secure place.
>That is not an option. Is there a way to eliminate the LINUX SINGLE
>access to the box, and floppy access if that is also possible to side
>track the login screen? Thanks.
Checkout the password and restricted options for lilo (man lilo.conf).
Also bios passwords, if supported, would help. Everone needs more
passwords to remember, right.
garthurp at thisisnonsense sodeleteit ispchannel dot com
Check out the "restricted" option for lilo.conf
Eg, from "man lilo.conf:"
restricted
A password is only required to boot the
image if
parameters are specified on the command line
(e.g.
single).
--
-John (John.T...@attglobal.net)
I've solved this problem as follows:
1) Give a password to the BIOS setup (same as root password for ease)
and boot by default from harddisk only (C only).
2) In lilo.conf, make timeout=0 so there's no time for anybody to
choose how to boot.
As a result, you only can boot with options (such as single) with
a floppy. But to boot from floppy, you'll need to edit the BIOS setup,
which requires the BIOS password.
-R-
wu...@bubba.ack.ping.telnet.kufgkjgfkgf.bom wrote:
>
> On Sun, 28 Nov 1999 03:33:08 GMT, syar...@nospam.enteract.com (Steve
> .) wrote:
>
> >I have a machine running Redhat, and have an issue with people being
> >able to use LINUX SINGLE to get into the system and change the root
> >password. I'm aware this machine should be in a more secure place.
> >That is not an option. Is there a way to eliminate the LINUX SINGLE
> >access to the box, and floppy access if that is also possible to side
> >track the login screen? Thanks.
>
> Checkout the password and restricted options for lilo (man lilo.conf).
> Also bios passwords, if supported, would help. Everone needs more
> passwords to remember, right.
>
> garthurp at thisisnonsense sodeleteit ispchannel dot com
--
For reply: please remove UNSPAM from reply address
Well, the very first thing that comes to mind is to modify the Linux kernel
to ignore the "single" option, or replace it with another word. However, have
you looked at using the lilo.conf with the "password=<whatever>" and
"restricted" entries in it? I haven't done this, but from reading the info page
on lilo.conf, it says that in this case the password is only needed if
parameters are specified on the command line. Of course, this means that
you'd better make sure the /etc/lilo.conf has mode 600 so that nobody but
root can read it.
Hope this helps,
John
> I have a machine running Redhat, and have an issue with people being
> able to use LINUX SINGLE to get into the system and change the root
> password. I'm aware this machine should be in a more secure place.
> That is not an option. Is there a way to eliminate the LINUX SINGLE
> access to the box, and floppy access if that is also possible to side
> track the login screen? Thanks.
Check the documentations for lilo. There's an option that asks for a
password during bootup. There's one flaw with it, though... the password
is stored in plain text in /etc/lilo.conf, so you'll have to disable the
read rights from other users...
****************************************************
* *
* JP Suominen jusu...@abo.fi listen.to/pyuria *
* *
****************************************************
Steve
On Sun, 28 Nov 1999 13:36:32 GMT,
wu...@bubba.ack.ping.telnet.kufgkjgfkgf.bom wrote:
>On Sun, 28 Nov 1999 03:33:08 GMT, syar...@nospam.enteract.com (Steve
>.) wrote:
>
>>I have a machine running Redhat, and have an issue with people being
>>able to use LINUX SINGLE to get into the system and change the root
>>password. I'm aware this machine should be in a more secure place.
>>That is not an option. Is there a way to eliminate the LINUX SINGLE
>>access to the box, and floppy access if that is also possible to side
>>track the login screen? Thanks.
>
Hope this helps,
BEH
On Sat, 04 Dec 1999 01:50:05 GMT, syar...@nospam.enteract.com (Steve
>I tried adding restricted before in the middle and end of the
>lilo.conf file. Didn't do anything. Also added the password=blabla
>and that didn't work either. Am I supposed to do this in a particular
>place, or in a particular format? Thanks.
They should go in the global section. If you ever change your
lilo.conf, you also must rerun lilo, before the changes take effect.
Also, even though it goes w/o saying, I'll say it. Make rael sure you
have a floppy that will boot your system before you play with lilo.
Steve