Re: boot parameters, init= and security issues

Paul Gortmaker (gpg109@rsphy6.anu.edu.au)
Fri, 31 May 1996 16:33:46 +1000 (EST)


- From Miquel van Smoorenburg (miquels@cistron.nl)
Fri, 31 May 1996 00:07:55 +0200 (MET DST)

> I added some security stuff to the sysvinit package, so that
> it always calls the included "sulogin" program even when booting
> into single user or maintenance mode. This requires you to
> enter the root password before a shell is started.

The less files that are needed to be read to boot single user, the
better. (Ideally only /sbin/init and /bin/sh + libc if not static)
If you are booting single, then you are probably trying to fix up
after suffering file corruption. And then the more files you try and
read, the more chances you will run into touble. (e.g. /etc/passwd
may now be a directory, sulogin may now be "rm" etc. etc. etc.)

> init=/bin/sh
> LD_PRELOAD=/tmp/hacklib.so

> So I sent a patch to Linus that adds a new configuration option
> to the kernel compile, CONFIG_BOOT_INSECURE that only allows
> the above two if that option is turned on.
>
> Alas, Linus rejected it. This normally means he thinks it
> was not a good idea. Hence the request for comment here.
> Would something like this be useful? Or isn't it because there

Not useful. You can already achieve this with LILO. See below.

> are other boot options that can be abused to achieve the
> same effect (and turning them all off would be unacceptable) ?

Yes there are others. For example, I come along, stick in my handy
ext2fs root floppy and boot with "root=/dev/fd0" B-)

> Or should I forget about it totally and just make a patch for
> LILO that adds allowing/denying certain options at the
> LILO boot prompt (so I could blacklist init= and *LD_*) ?

No need. LILO already supports password checking, with the option
of only asking the password if you try and supply any additional boot
time arguments (incl."init=/bin/sh" or whatever). LILO even moans
loudly if you put a password in but leave /etc/lilo.conf as 644
which is nice. Combine that with a CMOS/BIOS password and default
BIOS booting from hard disk, and your machine is as secure as the
screws holding the metal cover on.

> This would ofcourse not help people using loadlin for example.

If you are using loadlin, then that means you have an avenue to boot
DOS. Thus you can use a low level disk editor under DOS, and insert a
root password of your choice. Case closed.

Probably better to spend your time on the serial console patches. I'd
bet they are of more use to the general linux community. ;-)

Paul.