[NTLUG:Discuss] ARGH! Root password lost
Richard Cobbe
cobbe at directlink.net
Tue Jan 18 17:07:20 CST 2000
Victor Brilon wrote on 1-18-2000:
> At the LILO prompt type: linux single (assuming your linux boot is
> called linux).
> That will drop you into single user mode where you have a root shell
> without a password. Then either edit /etc/passwd and/or /etc/shadow, or
> just use the 'passwd' command for root.
>
That's about it. I thought I'd contribute a little something to this,
though.
Those of you who've thought about this carefully will have realized that,
yes, in fact, by default, this *does* allow anyone who has access to the
console and knows what they're doing to get root access on the machine.
(IIRC, Ms. Weaver, who posted the initial question, is the CS teacher at a
high school. If this is a lab machine, this needs to get locked down.
Yesterday.)
To fix this:
In /etc/lilo.conf (or wherever you keep yours), add the following lines
outside of any of the image-specific stuff:
restricted
password=<whatever>
and re-run lilo.
This will ask for the supplied password whenever an argument is supplied to
the image label at the LILO prompt. In other words, typing 'linux' won't
require a password, but 'linux single' will. I usually make this the same
as the root password, because they're basically equivalent -- once you have
one, you can get/set the other with a minimum of difficulty.
NOTE: this password is stored in clear text in the lilo.conf file. You
will want to chmod it so that it's only readable by root, ESPECIALLY if you
use your root password! Watch out for any editor-created backups, too!
Another drawback, if you set this to be your root password: if you forget
this, you're *really* up a creek and will have to re-install, unless you've
got a rescue disk.
Richard
More information about the Discuss
mailing list