[Gllug] LILO Passwords - was Re: [Gllug] Random password generation

David Irvine co2cool at yahoo.com
Wed Sep 12 17:17:33 UTC 2001 

John Edwards wrote:

>On Tue, Sep 11, 2001 at 10:39:35PM +0100, Gordon Joly wrote:
>
>>>And of course you make sure you have  a different password for lilo 
>>>than you have  for root, its amazing how many people who seem to be 
>>>fairly competent believe that its perfectly fine to go round 
>>>sticking the root password unencrypted in world readable files.
>>>
>>That is stoopid. Not the fault of the superuser, but of the system 
>>(OS) designer.
>>
>>There again, /etc/passwd used to have passwords (encrypted).
>>
>>Gordo
>>
>
>Thinking on this - if lilo doesn't encrypt the password could someone 
>read it in from the Master Boot Record ?
>
>I suppose the alternative would be that lilo holds an encrypted password 
>in the master boot record. But as lilo can not read file systems it would 
>have to the code for the passwd and crypt functions in with it, and I don't 
>think it would have the space.
>
>Maybe grub can do this, but I can't see antthing about password in the 
>documentation.
>
>
>ps. If someone can read the Master Boot Record then they could also do a 
>whole load of other nastiness.
>
>
yeah but if you can read the mbr then your unlikely to need the root 
password, for example you've already rooted it, or you  have physical 
access, what i mean is that storing the root password  unencrypted 
 because its the same password as the lilo password is stupid, I'm sure 
there are smarter ways to store the lilo.conf password that could 
beimplemented into lilo, However  my point was that any sysadmin who 
puts the root password in lilo.conf is being  stupid, not the os, its 
obvious that lilo.conf is unencrypted  since cat does nto unencrypt 
passwords magically for the user.  Its obvious to the sysadmin that lilo 
is unencrypted, just like most other config files therefore any data 
stored in that file is unencrypted and that includes the password. 
Therefor anybody who has read access to the file, either because the 
file is  world readable or because they have used a  boot floppy or 
whatever has access to that password, and if that password is the same 
as the root password they can then reboot your box, log  in  as root and 
cover all tracks of the reboot, crack attempt etc.

D



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list