Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 7875

Summary: no root passwd prompt when booting single user mode: linux single
Product: [Retired] Red Hat Linux Reporter: williamsmw
Component: abootAssignee: Cristian Gafton <gafton>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: williamsmw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-12-20 17:25:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description williamsmw 1999-12-18 05:25:00 UTC
I had to boot single user mode today and realized I am not prompted for a
password.  This is a really bad security risk.

Makes the system extremely vulnerable.

To duplicate:  at the lilo prompt type:  linux single

I tested this on RedHat 6.1 and Mandrake 6.1 which both allowed access to
entire system as root without a password.

Tested this on Caldera 2.3 and Corel 1.0, of which these systems gave the
expected prompt:

Give root password for maintenance
(or type Control-D for normal startup):

I need this fixed ASAP to certify my systems.....


Mark Williams

Comment 1 Chris Siebenmann 1999-12-19 03:24:59 UTC
A system that allows arbitrary LILO arguments cannot be secured
by giving single-user mode a password; one can just boot with
'linux init=/bin/sh' and bypass all of those checks. The real
solution is to set /etc/lilo.conf up to not allow extra arguments
without a password. (And to force the BIOS to boot only from the
HD, and to password-protect the BIOS.)

Comment 2 Bill Nottingham 1999-12-20 17:25:59 UTC
What he said. ;)