On Wed, 2 May 2001, Miroslav Skoric wrote:
> "Hossein S. Zadeh" wrote:
> >
> > If your untrusted users have physical access
> > to the server, so they can reboot the machine and go to single user mode,
> > you've got much more to worry about than just changed root password.
> >
>
> I plan to install a simple ham radio bbs in the local school. The system
> should be based on Linux. To avoid installing client computers in the
> same room, users should be allowed to log on locally and 'telnet' to the
> internal bbs. Kids are curious and they can easily reboot the machine
> (just with pull the cord) and entyer single mode. For the sake of system
> reboots by itself (in case of power outage) it should activate the bbs
> automaticaly, without admin's response. So, boot password should not be
> implemented or something like that.
>
You can put a password on it. Looking the password= and restricted
options of lilo. When used together, normal booting does not require a
password, but if you add anything to the command line, it requires a
password. ie "linux" boots without a password, but "linux single"
requires a password. Make sure /etc/lilo.conf is only readable by root!
>
> Now, I just wonder if they could get root's privileges by any way (of
> course without opening the box in order to erase RAM etc etc)? Is there
> a way to disable 'single' mode option? Is there a way to use any
> 'rootkit' tool from ordinary user's account in order to get root's
> password? From my previous experience with the kids, they are likely to
> use software rather than hardware solutions to beat the system :-)
>
> Misko
>
>
As far as using a 'rootkit' to get root access from an ordinary user's
account, it is possible, so you will want to keep up to date on security
updates. The known holes have been patched, but... You may also want
to run the Bastille script packages to "harden" the system, and make a
local exploite harder. (It also makes a remote exploite harder...)
Also make sure you disable booting from a floppy, and password protect
entering the BIOS setup. (You may also want to disable display the
"Hit DEL to enter setup" message, or what ever the message is for your
BIOS.
Mikkel
--
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
