Securing LILO with a Password
To prevent LILO from allowing unrestricted booting, you can specify a password in the
lilo.conf file that must be entered if you want to pick a nondefault boot item, add options
to the boot items, or boot into single-user mode.
prompt
timeout=50
default=linux
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message
linear
password=secretpassword
restricted
image=/boot/vmlinuz-2.4.18-14
label=linux
initrd=/boot/initrd-2.4.18-14.img
read-only
append="root=LABEL=/"
The password option allows you to specify a password that must be entered before you are
allowed to boot when the system is first started.
In Listing 1-1 you would replace the phrase secretpassword with a suitably secure password.1 Unfortunately, this password is added into the lilo.conf file in clear text, which means anyone with access to this file (though it should be those only with root privileges) can see the password.
The restricted option changes the behavior of the password option. With restricted specified,
LILO will prompt for a password only if you specify parameters on the boot loader command
line. For example, it would prompt you for a password if you tried to enter the parameter
single (to enter single-user mode) on the boot loader command line.
You can also specify the password and restricted options with a particular kernel image
statement. This way you can protect a particular kernel image or provide separate passwords
for each kernel image. In the following example I have omitted the restricted option,
which means a password will always be prompted for when trying to boot this kernel image:
image=/boot/vmlinuz-2.4.18-14
password=secretpassword
label=linux
initrd=/boot/initrd-2.4.18-14.img
read-only
append="root=LABEL=/"
Anytime you change your lilo.conf file, you need to run the lilo command to update
your LILO configuration.
puppy# /sbin/lilo
Finally, you need to ensure the lilo.conf file has the correct ownerships and permissions
to ensure only those authorized can see the password in the file.
puppy# chown root:root /etc/lilo.conf
puppy# chmod 0600 /etc/lilo.conf
To prevent LILO from allowing unrestricted booting, you can specify a password in the
lilo.conf file that must be entered if you want to pick a nondefault boot item, add options
to the boot items, or boot into single-user mode.
prompt
timeout=50
default=linux
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message
linear
password=secretpassword
restricted
image=/boot/vmlinuz-2.4.18-14
label=linux
initrd=/boot/initrd-2.4.18-14.img
read-only
append="root=LABEL=/"
The password option allows you to specify a password that must be entered before you are
allowed to boot when the system is first started.
In Listing 1-1 you would replace the phrase secretpassword with a suitably secure password.1 Unfortunately, this password is added into the lilo.conf file in clear text, which means anyone with access to this file (though it should be those only with root privileges) can see the password.
The restricted option changes the behavior of the password option. With restricted specified,
LILO will prompt for a password only if you specify parameters on the boot loader command
line. For example, it would prompt you for a password if you tried to enter the parameter
single (to enter single-user mode) on the boot loader command line.
You can also specify the password and restricted options with a particular kernel image
statement. This way you can protect a particular kernel image or provide separate passwords
for each kernel image. In the following example I have omitted the restricted option,
which means a password will always be prompted for when trying to boot this kernel image:
image=/boot/vmlinuz-2.4.18-14
password=secretpassword
label=linux
initrd=/boot/initrd-2.4.18-14.img
read-only
append="root=LABEL=/"
Anytime you change your lilo.conf file, you need to run the lilo command to update
your LILO configuration.
puppy# /sbin/lilo
Finally, you need to ensure the lilo.conf file has the correct ownerships and permissions
to ensure only those authorized can see the password in the file.
puppy# chown root:root /etc/lilo.conf
puppy# chmod 0600 /etc/lilo.conf
0 Comments