Another Backdoor to Root Access

By Brian Hatch, ITworld |  News

In last week's article, I showed you how to enter single user mode at
the lilo prompt, ala:

lilo: linux single

or

lilo: linux 1

Both of those arguments tell init to boot into runlevel 1. If you have
sulogin set to run, then single user mode is only available if you know
the actual root password, which is a good thing. However, another method
exists for you to gain passwordless root access without using single
user mode at all.

Normally, the linux kernel will launch /sbin/init once it's finished
loading. init is responsible for starting all the programs appropriate
for your given runlevel based on the entries in the /etc/inittab file.
That's why init is always process #1 when you do a 'ps'. However, we can
tell the Linux kernel to run a different program instead of /sbin/init
by using the 'init=' option on the lilo command line:

lilo: linux init=/bin/bash

Now the kernel will launch /bin/bash as root. Viola! A root shell, no
questions asked. You could run anything you wanted, but /bin/bash is
probably the most convenient method.

When you boot Linux in this manner, you'll find that your disks are
mounted read-only[1]. Once you're at a shell though, fixing this is
trivial:

# fsck /
# mount -orw,remount /

So you can see that enabling sulogin is not sufficient to prevent
someone at the console from getting a root shell; you must create
password restrictions for your kernel definitions to prevent anyone from
passing command-line arguments to the kernel. I showed you how to do
this last week, but let's recap.

Add 'restricted' and 'password' options to the relevant /etc/lilo.conf
kernel definition[2]:

image=/boot/vmlinuz
label=linux
restricted
password=suLoginIsntSufficient
read-only
root=/dev/hda7

Of course, don't forget to make the lilo.conf file unreadable by local
users:

# chmod 600 /etc/lilo.conf

And now re-run lilo when you're done:

# lilo

If you're paranoid, then you can always make lilo.conf immutable
(unchangeable) with chattr[3]

# chattr +i /etc/lilo.conf

If you ever do need to make changes, then you'll need to turn off the
immutable bit first:

# chattr -i /etc/lilo.conf
# $EDITOR /etc/lilo.conf
# chattr +i /etc/lilo.conf

So, does this mean we're completely secure now? Nope, sadly not. Other
ways remain that provide root access to the machine, such as booting
from alternate devices like a floppy/CD[4] or just pulling out the disk
and mounting it on a different machine and accessing it there directly,
but we've covered the most direct and simple methods via our lilo
configurations.

NOTES

[1] You could have the kernel mount '/' read write by specifying:

lilo: linux rw init=/bin/bash

at the lilo prompt. However, I like to fsck the drive manually and
remount.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness