Another Backdoor to Root Access
In last week's article, I showed you how to enter single user mode at
the lilo prompt, ala:
lilo: linux single
lilo: linux 1
Both of those arguments tell init to boot into runlevel 1. If you have
sulogin set to run, then single user mode is only available if you know
the actual root password, which is a good thing. However, another method
exists for you to gain passwordless root access without using single
user mode at all.
Normally, the linux kernel will launch /sbin/init once it's finished
loading. init is responsible for starting all the programs appropriate
for your given runlevel based on the entries in the /etc/inittab file.
That's why init is always process #1 when you do a 'ps'. However, we can
tell the Linux kernel to run a different program instead of /sbin/init
by using the 'init=' option on the lilo command line:
lilo: linux init=/bin/bash
Now the kernel will launch /bin/bash as root. Viola! A root shell, no
questions asked. You could run anything you wanted, but /bin/bash is
probably the most convenient method.
When you boot Linux in this manner, you'll find that your disks are
mounted read-only. Once you're at a shell though, fixing this is
# fsck /
# mount -orw,remount /
So you can see that enabling sulogin is not sufficient to prevent
someone at the console from getting a root shell; you must create
password restrictions for your kernel definitions to prevent anyone from
passing command-line arguments to the kernel. I showed you how to do
this last week, but let's recap.
Add 'restricted' and 'password' options to the relevant /etc/lilo.conf
Of course, don't forget to make the lilo.conf file unreadable by local
# chmod 600 /etc/lilo.conf
And now re-run lilo when you're done:
If you're paranoid, then you can always make lilo.conf immutable
(unchangeable) with chattr
# chattr +i /etc/lilo.conf
If you ever do need to make changes, then you'll need to turn off the
immutable bit first:
# chattr -i /etc/lilo.conf
# $EDITOR /etc/lilo.conf
# chattr +i /etc/lilo.conf
So, does this mean we're completely secure now? Nope, sadly not. Other
ways remain that provide root access to the machine, such as booting
from alternate devices like a floppy/CD or just pulling out the disk
and mounting it on a different machine and accessing it there directly,
but we've covered the most direct and simple methods via our lilo
 You could have the kernel mount '/' read write by specifying:
lilo: linux rw init=/bin/bash
at the lilo prompt. However, I like to fsck the drive manually and
remount. Call me paranoid.
 Actually, you can use restricted or password in the global section
as well, not just in an image definition. However, I like having
different passwords for each image, so I don't put 'password' in the
global section. Restricted, on the other hand, is fine if you want
them all restricted.
 chattr only works on ext2/ext3 file systems.
 Most BIOS can disable or password-protect the ability to boot off
other devices. I leave that as an exercise for the reader so we can
get onto more interesting topics again next week.