All computers with existing versions of LinuxPPC installed are
accessible as root by anyone if they are able to boot the machine
in single user mode. Fortunately, The solution is very simple. You
can disable the automatic login as root when the machine is booted
into single user mode. The method for doing this is described
below.
This update is retroactive — that is, it covers every previous
version of LinuxPPC. All previus releases (including Release 4 and
4.1) have this vulnerability.
To disable automatic login as root when the machine is booted
into single user mode, you need to add two lines to the file
/etc/inittab. Add these lines to the very end of the file:
# What to do in single-user mode.
~:S:wait:/sbin/sulogin
After doing this, you must reboot the computer for the changes
to take effect.
An explanation of what this does.
The first line is a comment. Commented lines always begin with
the pound (#) sign. They’re ignored by the computer. The next line
tells the computer to run /sbin/sulogin, which asks for the
password for root, when someone trys to boot in single user
mode,
If your system is set up so that it doesn’t ask you for the root
password at all, it will do so after you add this line to
/etc/inittab and reboot. The /etc/inittab file is read before any
logins are allowed, which makes this action immediately effective
upon reboot.
This security feature will be built in to the next version of
LinuxPPC.