4.4. 设置 LILO 或 GRUB 密码

Anybody can easily get a root-shell and change your passwords by entering

  1. <name-of-your-bootimage> init=/bin/sh

at the boot prompt. After changing the passwords and rebooting the system, the person has unlimited root-access and can do anything he/she wants to the system. After this procedure you will not have root access to your system, as you do not know the root password.

您应该为启动加载器设置一个密码以确保这类事情不会发生. 您可以选择设置全局密码或为某个影像设置密码.

For LILO you need to edit the config file /etc/lilo.conf and add a password and restricted line as in the example below.

  1. image=/boot/2.2.14-vmlinuz
  2. label=Linux
  3. read-only
  4. password=hackme
  5. restricted

Then, make sure that the configuration file is not world readable to prevent local users from reading the password. When done, rerun lilo. Omitting the restricted line causes lilo to always prompt for a password, regardless of whether LILO was passed parameters. The default permissions for /etc/lilo.conf grant read and write permissions to root, and enable read-only access for lilo.conf‘s group, root.

If you use GRUB instead of LILO, edit /boot/grub/menu.lst and add the following two lines at the top (substituting, of course hackme with the desired password). This prevents users from editing the boot items. timeout 3 specifies a 3 second delay before grub boots the default item.

  1. timeout 3
  2. password hackme

To further harden the integrity of the password, you may store the password in an encrypted form. The utility grub-md5-crypt generates a hashed password which is compatible with GRUB’s encrypted password algorithm (MD5). To specify in grub that an MD5 format password will be used, use the following directive:

  1. timeout 3
  2. password --md5 $1$bw0ez$tljnxxKLfMzmnDVaQWgjP0

The —md5 parameter was added to instruct grub to perform the MD5 authentication process. The provided password is the MD5 encrypted version of hackme. Using the MD5 password method is preferable to choosing its clear-text counterpart. More information about grub passwords may be found in the grub-doc package.