There are a couple of old sayings in the business: "There's no security without physical security"; and, "The greatest threat comes from within". If your computer is in a locked room and only you access it, or everyone who has access is trusted implicitly, then fine. If not, read on.
What if I told you that, if you let me boot your typical Fedora installation, I could probably get root access in around a minute without you telling me your passwords?
I'm not referring to a BIOS backdoor - though these are rumoured to exist in some manufacturers' BIOS. Nor am I referring to resetting your CMOS memory - though if you lock your computer's case, you can effectively neutralise that weakness. And I'm not referring to using a plug-in hardware key logger to grab your root password - but someone could, and if an untrusted individual can walk past your desktop computer when you're absent then you might want to check the integrity of your keyboard connection from time to time. Of course, there are other, less likely security threats.
What I'm going to use is "single user mode". In brief, Linux uses Run Levels
to define pre-set boot environments (sequences of boot-up tasks). Often these will be different from one distro to the next, although Run Level 0 and 6 are always the same, being Halt and Reboot, respectively. In Fedora, Run Level 1 (or S) is single user mode, where the user is given a root shell for maintenance or recovery. Without going into the subtle differences between Run Level 1 and S (just accept that both are single user mode), what you need to know is that the Grub bootloader
permits a user to select single user mode by editing Grub boot parameters at boot time, and that this functionality is available unless you have defined a bootloader password (note 1). Furthermore, single user mode in Fedora is not password protected
. At the end of this post are the steps to enter single user mode - try it and see for yourself.
To mitigate the risks, you have three options, any or all of which may be used to add degrees of protection:
(1) Encrypt your hard-drive
(2) Add password protection to Grub
(3) Add password protection to single user mode
Encrypting your hard-drive is a useful option on its own, as it protects your data against someone managing to boot from, say, a LiveCD (possible if, for example, you don't enforce a BIOS password) or against someone gaining direct access to your hard-drive (e.g. from a stolen laptop or external hard-drive). Whole disk encryption via LUKS
is now offered in Fedora during installation, but that option will not encrypt your boot partition, meaning that the Linux kernel, and hence the rest of the system, remain vulnerable without employing other security mechanisms. Encryption is a very involved topic and I won't cover it further here.
Password-protecting Grub can prevent booting an operating system, and prevent other Grub operations (note 2), without the password(s). You can set a different password for each OS, use the same password for all OSs, or you can restrict password protection to just preventing interactive operation, which includes editing boot parameters. There's plenty of information available on configuring Grub not the least of which is the Grub online manual
. Fedora offers you the opportunity to set a bootloader password in the Anaconda installer, which will, without further configuration, prevent changing boot parameters without the password.
Did you decline to set a bootloader password during Fedora installation? If so, you're not alone - many people don't set a password, especially since it is disabled by default and the setting is easy to overlook. You can follow the advice below to set a Grub password now and read on to password protect single user mode.
In a terminal:
... enter a suitable password for your bootloader (and re-enter to confirm). The resulting output is the password hash
that we need to store in file /boot/grub/grub.conf. In the terminal (and note, we'll first make a backup copy of grub.conf in case you make a mistake):
cp /boot/grub/grub.conf /boot/grub/old_grub.conf
Near the top of the file, you'll see text that looks something like:
In this section (and I suggest best placed immediately below the line highlighted in bold) add this new line:
password --md5 paste-your-password-hash-here
Save and exit. That's it. Your bootloader is now protected by a password. For the most part, you won't need to use your bootloader password, but it's an important security enhancement to have it set.
for further advice on setting and using Grub passwords, including protecting individual operating systems.
Single User Mode Password
In addition to, or in lieu of, password-protecting Grub, you can password-protect single user mode, though it offers less protection when used alone.
You can easily find information online about how password-protecting single user mode used
to be done, but things have changed. With the introduction of Upstart
in F9, Fedora start-up tasks are invoked a bit differently, and the differences will continue to grow as Upstart matures. For instance, file /etc/inittab has been mostly deprecated - it now serves only to define the default run level and all other configuration is ignored. Upstart generally gets its information from files in directory /etc/event.d, and in this case the file of interest is /etc/event.d/rcS-sulogin.
What we need to do is edit file /etc/event.d/rcS-sulogin as root. In a terminal:
You'll see a section that looks like this:
runlevel --set S >/dev/null || true
plymouth --hide-splash || true
Note the line highlighted in bold. Change it to read:
Save and exit. That's it. Now, if anyone enters single user mode, they'll be presented with a prompt for the root password instead of being given a root shell.
Steps to Enter Single User Mode
Reboot. When the Grub splash or countdown is displayed, press any key to display the Grub menu. If you have a bootloader password set, you will have to press 'p' and enter the password at this point. Highlight your desired Fedora kernel (i.e. menu item) and hit 'e'. Next, you will find yourself in the Grub edit menu with the contents of your highlighted entry displayed. Use the arrow keys to select the line beginning with 'kernel ...' and hit 'e' to edit it. The line will be displayed - scroll to the end and append a space followed by an 's' or the word 'single', then hit 'Enter'. Now hit 'b' and you will boot to single user mode. If you have enabled password protection in single user mode, you should eventually see:
Give root password for maintenance
(or type Control-D to continue):
Otherwise, you'll be presented with a root shell!
1: Fedora's Anaconda installer gives you the opportunity to set a Grub bootloader password during Fedora installation. Installers for other distros may not do this, so if you installed Grub from another distro you should check your Grub configuration manually. Note that the gfxmenu included with Grub in some other distros does not work when a bootloader password is set. If you installed a different bootloader (i.e. not Grub) then there may be no password facility. When more than one operating system is installed, you should use a method or methods that protect all of them.
2: Grub has a console (its own limited command line) - available commands include 'cat', which can display the contents of a file.