4.4. 设置 LILO 或 GRUB 密码
Anybody can easily get a root-shell and change your passwords by entering
<name-of-your-bootimage> init=/bin/sh
at the boot prompt. After changing the passwords and rebooting the system, the person has unlimited root-access and can do anything he/she wants to the system. After this procedure you will not have root access to your system, as you do not know the root password.
您应该为启动加载器设置一个密码以确保这类事情不会发生. 您可以选择设置全局密码或为某个影像设置密码.
For LILO you need to edit the config file /etc/lilo.conf
and add a password
and restricted
line as in the example below.
- image=/boot/2.2.14-vmlinuz
- label=Linux
- read-only
- password=hackme
- restricted
Then, make sure that the configuration file is not world readable to prevent local users from reading the password. When done, rerun lilo. Omitting the restricted
line causes lilo to always prompt for a password, regardless of whether LILO was passed parameters. The default permissions for /etc/lilo.conf
grant read and write permissions to root, and enable read-only access for lilo.conf
‘s group, root.
If you use GRUB instead of LILO, edit /boot/grub/menu.lst
and add the following two lines at the top (substituting, of course hackme
with the desired password). This prevents users from editing the boot items. timeout 3
specifies a 3 second delay before grub
boots the default item.
- timeout 3
- password hackme
To further harden the integrity of the password, you may store the password in an encrypted form. The utility grub-md5-crypt
generates a hashed password which is compatible with GRUB’s encrypted password algorithm (MD5). To specify in grub
that an MD5 format password will be used, use the following directive:
- timeout 3
- password --md5 $1$bw0ez$tljnxxKLfMzmnDVaQWgjP0
The —md5 parameter was added to instruct grub
to perform the MD5 authentication process. The provided password is the MD5 encrypted version of hackme. Using the MD5 password method is preferable to choosing its clear-text counterpart. More information about grub
passwords may be found in the grub-doc package.