Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email 



PASSWORD PROTECT LILO


If your Linux computer is accessible to more people then just yourself, and you want to beef up security you might think about a few extra measures:

1). Password protect your BIOS so people can not use a Live CD to access your Linux partitions.
2). Password protect your Lilo bootloader so it can not boot in "single user mode" ( in runlevel 1 any user can give root commands without needing a password )
3). Password protect Lilo so it will not boot at all without the lilo-password.

We will explore a few possible setups:

First we set a password Lilo will need before it will allow you to choose the OS you selected to boot ( Linux or Windows ). Here is an example of how the /etc/lilo.conf file should look like ( for the example I will set the password to "L1n3&ux9" ):

QUOTE
default="Linux"
boot=/dev/hda
map=/boot/map
keytable=/boot/us.klt
menu-scheme=wb:bw:wb:bw
prompt
nowarn
password=L1n3&ux9
timeout=100
message=/boot/message
image=/boot/vmlinuz
        label="Linux"
        root=/dev/hdb1
        initrd=/boot/initrd.img
        append="acpi=ht splash=verbose"
        vga=788
        read-only
other=/dev/hda1
        label="windows"
        table=/dev/hda



In the next example we will set a password only for the Linux OS . . . . booting Windows will not need a password:

QUOTE
default="Linux"
boot=/dev/hda
map=/boot/map
keytable=/boot/us.klt
menu-scheme=wb:bw:wb:bw
prompt
nowarn
timeout=100
message=/boot/message
image=/boot/vmlinuz
        password=L1n3&ux9
        label="Linux"
        root=/dev/hdb1
        initrd=/boot/initrd.img
        append="acpi=ht splash=verbose"
        vga=788
        read-only
other=/dev/hda1
        label="windows"
        table=/dev/hda



In our last example you can boot both Linux and Windows without password . . . but if you try to boot Linux with extra arguments ( like "linux 1" to boot in single user mode ) you will need the password:

QUOTE
default="Linux"
boot=/dev/hda
map=/boot/map
keytable=/boot/us.klt
menu-scheme=wb:bw:wb:bw
prompt
nowarn
timeout=100
message=/boot/message
image=/boot/vmlinuz
        password=L1n3&ux9
        restricted
        label="Linux"
        root=/dev/hdb1
        initrd=/boot/initrd.img
        append="acpi=ht splash=verbose"
        vga=788
        read-only
other=/dev/hda1
        label="windows"
        table=/dev/hda



NOTE 1: After changing the /etc/lilo.conf file be sure to give the command "/sbin/lilo" to write the new Lilo to the MBR !

NOTE 2: Because in normal cases everybody can read the lilo.conf file you should change permissions on it so only root can read it:

CODE
# chmod 600  /etc/lilo.conf


After protecting Lilo and the BIOS with a password the only way to tamper with your computer is fiddling with the jumpers on the motherboard to reset the BIOS, so if it is located in a public place you might want to physically lock the box as well.



Bruno



-- May 21 2006 --


Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email