Anybody can easily get a root-shell and change your passwords by entering <name-of-your-bootimage> init=/bin/sh at the boot prompt. After changing the passwords and rebooting the system, the person has unlimited root-access and can do anything he/she wants to the system. After this procedure you will not have root access to your system, as you do not know the root password.
To make sure that this cannot happen, you should set a password for the boot loader. You can choose between a global password or a password for a certain image.
For LILO you need to edit the config file /etc/lilo.conf and add a password and restricted line as in the example below.
When done, rerun lilo. Omitting the restricted line causes lilo to always prompt for a password, regardless of whether LILO was passed parameters. The default permissions for /etc/lilo.conf grant read and write permissions to root, and enable read-only access for lilo.conf's group, root.
If you use GRUB instead of LILO, edit /boot/grub/menu.lst and add the following two lines at the top (substituting, of course hackme with the desired password). This prevents users from editing the boot items. timeout 3 specifies a 3 second delay before grub boots the default item.
timeout 3
password hackme
To further harden the integrity of the password, you may store the password in an encrypted form. The utility grub-md5-crypt generates a hashed password which is compatible with grub's encrypted password algorithm (md5). To specify in grub that an md5 format password will be used, use the following directive:
The --md5 parameter was added to instruct grub to perform the md5 authentication process. The provided password is the md5 encrypted version of hackme. Using the md5 password method is preferable to choosing its cleartext counterpart. More information about grub passwords may be found in the grub-doc package.
Remove root prompt on the kernel
Linux 2.4 kernels provide a way to access a root shell while booting which will be presented just after loading the cramfs file system. A message will appear to permit the administrator to enter an executable shell with root permissions, this shell can be used to manually load modules when autodetection fails. This behavior is the default for initrd's linuxrc. The following message will appear:
Press ENTER to obtain a shell (waits 5 seconds)
In order to remove this behavior you need to change /etc/mkinitrd/mkinitrd.conf and set:
# DELAY The number of seconds the linuxrc script should wait to
# allow the user to interrupt it before the system is brought up
DELAY=0
Then regenerate your ramdisk image. You can do this for example with:
# cd /boot
# mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7
