Title: Securing the LILO bootloader

KBTAG: kben100000002
URL: http://www.securityportal.com/lskb/10000000/kben10000002.html
Date created: 20/07/2000
Date modified: 30/08/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: LILO security
Keywords: Console, Bootloader

Package name: lilo
Distribution: all
Version: all

Summary:

LILO has many security options that can be used to enhance security against local attackers. Without taking these steps it is trivial for an attacker to gain root access on a computer with the LILO boot loader in a rapid manner.

More information:

LILO's configuration file is typically:

/etc/lilo.conf

Once the computer has decided to boot from C:, LILO takes over. Most bootloaders allow for some flexibility in how you boot the system, LILO especially so, but this is a two edged sword. You can pass LILO arguments at boot time, the most damaging (from a security point of view) being "image-name single" which boots Linux into single user mode, and by default in most distributions dumps you to a root prompt in a command shell with no prompting for passwords or other pesky security mechanisms. Several techniques exist to minimize this risk. 

delay=X

this controls how long (in tenths of seconds) LILO waits for user input before booting to the default selection. One of the requirements of C2 security is that this interval be set to 0 (obviously a dual boot machines blows most security out of the water). It is a good idea to set this to 0 unless the system dual boots something else. Note by hitting "?" while LILO is waiting you can get a boot menu (i,e, "Linux", "Linux-orig", "DOS"), even if delay is set to 0. This is why you must use restricted and password to secure LILO.

prompt

forces the user to enter something, LILO will not boot the system automatically. This could be useful on servers as a way of disabling reboots without a human attendant, but typically if the hacker has the ability to reboot the system they could rewrite the MBR with new boot options. If you add a timeout option however the system will continue booting after the timeout is reached.

restricted

requires a password to be used if boot time options are passed to the boot loader. Make sure you use this one on each image (otherwise the server will need a password to boot, which is fine if you’re never planning to remotely reboot it). If you do not use this an attacker can issue a command at the LILO prompt like:

linux single

which would boot the "linux" image into single user mode. In many cases this will dump you to a command prompt, however some distributions do require you to enter the root password to login this is not very helpful since you can issue a command like:

linux init=/bin/sh

which will boot into single user mode and use /bin/sh instead of the normal init, leaving you at a root prompt (even if the computer is set to use sulogin which prompts for a root password with the "single" command).

password=

requires user to input a password, used in conjunction with restricted, also make sure lilo.conf is no longer world readable, or any user will be able to read the password.

Here is an example of lilo.conf from one of my servers.

boot=/dev/hda
map=/boot/map
install=/boot/boot.b
prompt
timeout=100
default=linux
image=/boot/vmlinuz-2.2.5
	label=linux
	root=/dev/hda1
	read-only
	restricted
	password=s0m3_pAsSw0rD_h3r3

This boots the system using the /boot/vmlinuz-2.2.5 kernel, stored on the first portion (right after the MBR) of the first IDE harddrive of the system, the prompt keyword would normally stop unattended rebooting, however it is set in the image, so it can boot “linux” no problem, but it would ask for a password if you entered “linux single”, so if you want to go into “linux single” you have 10 seconds to type it in, at which point you would be prompted for the password ("s0m3_pAsSw0rD_h3r3"). Combine this with a BIOS set to only boot from C: and password protected and you have a pretty secure system. One minor security measure you can take to secure the lilo.conf file is to set it immutable, using the “chattr” command. To set the file immutable simply:

chattr +i /sbin/lilo.conf

and this will prevent any changes (accidental or otherwise) to the lilo.conf file. If you wish to modify the lilo.conf file you will need to unset the immutable flag:

chattr -i /sbin/lilo.conf

only the root user has access to the immutable flag.