Secure Lilo boot loader from bypassing root password

During the installation and setup of any linux distro using the Lilo bootloader, it is quite comfortable to know that you can change or erase the password of the root account if something should go wrong. What happened to me was that the system locale (language) simply made typing my password impossible. If you use Lilo, this is not a reason to re-install.

In the boot process you can press TAB to get up a bash console.
Mount the root filesystem (‘/’) read-write and set the password with command: passwd root
Run sync and reboot using /sbin/reboot
See Zenwalk wiki’s Lost root password for step by step guide

When you are finished setting up the system and want to start using it, however, allowing any user to pass boot parameters with the possibility of bypassing the root password is clearly a security issue. To restrict access to running parameters in Lilo, you can either edit the global or the individual bootimage settings.

Global
add ‘password = secretpass‘ to /etc/lilo.conf
chmod lilo.conf 600 and set owner to root (step by step guide above)
run lilo -v

Individual boot image
specify the password (as above) under each boot entry you have in lilo.conf
and add ‘restricted’ at the end of the entry
chmod lilo.conf 600 and set owner to root (step by step guide above)
run lilo -v

Links:

Note: If you edit global settings, you will have to enter the password each time you boot.

3 thoughts on “Secure Lilo boot loader from bypassing root password”

  1. Personally I have the WRT54GC (which isn’t DD-WRT according to Wikipedia), but I bought a DD-WRT using router to a client recently.
    Let me guess, VPN problems?

  2. Well, the VPN problem has been resolved, but now I’m trying to figure out how to add users. DD-WRT doesn’t come with “adduser” command.

Leave a Reply to Michael Cancel reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.