Securing LILO

From LQWiki
Jump to: navigation, search

A user with physical access to a Linux system using the LILO bootloader can use an inadeuqately secured LILO to boot into single-user mode, gaining root access to the machine, or to otherwise pass options to the booting kernel that will result in a vulnerable system.

Configuration explanations

You can prevent this by causing LILO to prompt for a password before booting a kernel image by specifying options in the /etc/lilo.conf configuration file.

As top-level (global) options:

  • password=[password] will cause LILO to associate a password with booting any kernel image.
  • mandatory will cause LILO to always prompt for an associated password when booting a kernel image.
  • restricted will cause LILO to prompt for an associated password only if kernel parameters are specified to be passed to the booting kernel (such as single to boot into single user mode).

As second-level (image) options to a kernel image image= declaration:

  • password=[password] will cause LILO to associate a password with booting the kernel image for which it is given as an option.
  • mandatory will cause LILO to always prompt for a password when booting the kernel image for which it is given as an option.
  • restricted will cause LILO to prompt for a password when booting the kernel image for which it is given as an option, only if kernel parameters are specified to be passed to the booting kernel (such as single to boot into single user mode).
  • bypass will cause LILO to bypass prompting for a password when booting the kernel image for which it is given as an option.

It should be taken into consideration, however, that you will be unable to reboot the system remotely into a kernel image for which the mandatory option is specified, unless someone is on hand to enter the password LILO will prompt for. For this reason, if remotely rebooting the machine is important, the restricted option should be given instead for any kernel image for which you wish to reboot remotely. A user with physical access to the system will be able to boot the restricted kernel image, but will be unable to pass kernel parameters to the booting kernel, such as to cause the system to boot into single user mode.

Alternatively, you may remove the prompt top-level option to prevent the user from being prompted for the selection of the kernel to boot, or to pass kernel parameters to the booting kernel.

Example

To prevent users with physical access from booting into single user mode or otherwise from passing potentially insecure kernel parameters to the booting kernel:

  • Include password=[password] as a top level option in /etc/lilo.conf.
  • Include restricted as a top level option in /etc/lilo.conf

Ensure that /etc/lilo.conf is readable only by the root user. Otherwise, non-root users would be able to discover by the boot password. Executing chmod 600 /etc/lilo.conf should set permissions appropriate for your distribution, if they are not already set correctly.

To update LILO, execute /sbin/lilo. If you are uncertain whether you have configured everything properly, be sure that you have access to a boot disk before rebooting your system to test your secure configuration.