Gentoo Logo

[ << ] [ < ] [ Home ] [ > ] [ >> ]

2. Tightening Security


2.a. USE flags

The make.conf file contains user defined USE flags and /etc/make.profile/make.defaults contains the default USE flags for Gentoo Linux. For this guide's purposes, the important flags are pam (Pluggable Authentication Modules), tcpd (TCP wrappers), and ssl (Secure Socket Layer). These are all in the default USE flags.

2.b. Password protecting GRUB

GRUB supports two different ways of adding password protection to your boot loader. The first uses plain text, while the latter uses md5+salt encryption.

Code Listing 2.1: /boot/grub/grub.conf

timeout 5
password changeme

This will add the password changeme. If no password is entered at boot, GRUB will simply use the default boot setting.

When adding an md5 password, you must convert your password into crypt format, which is the same format used in /etc/shadow. For more information see man crypt. The encrypted password changeme, for example, could look like this: $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.

You can encrypt your password directly at the GRUB shell:

Code Listing 2.2: md5crypt in grub shell


GRUB version 0.92 (640K lower / 3072K upper memory)

   [ Minimal BASH-like line editing is supported. For the first word, TAB lists
     possible command completions. Anywhere else TAB lists the possible
     completions of a device/filename. ]

grub> md5crypt

Password: ********
(Typed changeme at the prompt)
Encrypted: $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.

grub> quit

Then, cut and paste your password to /boot/grub/grub.conf.

Code Listing 2.3: /boot/grub/grub.conf

timeout 5
password --md5 $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.

The 5 seconds timeout becomes handy if the system is remote and should be able to reboot without any keyboard interaction. Learn more about GRUB passwords by executing info grub.

2.c. Password protecting LILO

LILO also supports two ways of handling passwords: global and per-image, both in clear text.

The global password is set at the top of the configuration file, and applies to every boot image:

Code Listing 3.1: /etc/lilo.conf


The per-image password is set as below:

Code Listing 3.2: /etc/lilo.conf


If the restricted option is not entered, it will prompt for a password every time.

In order to store the new information in lilo.conf, you must run /sbin/lilo.

2.d. Restricting Console Usage

The /etc/securetty file allows you to specify which tty (terminal) devices root is allowed to login to.

We suggest that you comment out all lines except vc/1 if you are using devfs and all lines except tty1 if you are using udev. This will ensure that root only can login once and only on one terminal.

Note: Users in the group "wheel" can still su - to become root on other TTYs.

Code Listing 4.1: /etc/securetty

(For devfs)
(For udev)

[ << ] [ < ] [ Home ] [ > ] [ >> ]


View all

Page updated April 2, 2010

Summary: Tightening security during and after installation.

Kim Nielsen

John P. Davis

Eric R. Stockbridge

Carl Anderson

Jorge Paulo

Sven Vermeulen

Benny Chuang

Sune Jeppesen

Tiemo Kieft

Zack Gilburd

Dan Margolis

Joshua Saddler

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.