On Tue, Mar 05, 2002 at 12:14:25PM -0300, Michel Loos wrote: > Em Ter, 2002-03-05 às 11:57, will trillich escreveu: > > On Sun, Mar 03, 2002 at 09:40:48AM -0800, Xeno Campanoli wrote: > > > In the Trinity OS security recommenation they say to disable the ability > > > to run init interactively by setting > > > > > > prompt=no > > > > > This is the default in Debian (in lilo.conf) but it is not necessary, > even if the guy in front of the computer types the usual: > linux single > :he will not get root access to your computer without knowing the > passwd. (At least on testing with a 2.4.x kernel). > > If he wants access, he can always boot on a floppy or CD and do whatever > he wants to. > You will have to disable (in the BIOS) floppy/CD booting AND put a BIOS > passwd or all this is for nothing.
And you somehow have to block out somebody giving lilo
linux init=/bin/bash
as this will get him/her straight into a root shell.
Check the security howto: http://www.linuxsecurity.com/Security-HOWTO
HTH
--
_ __
|/ _ _| |_ | _ __ _ _ _ _ _ _
|\(_|| | |_ |(/)| (_|(-'| |`-,(-`| | http://www.karl.jorgensen.com
\_| _|
pgpVVOwMsbCHJ.pgp
Description: PGP signature
