Nice link Lobster, many Linux Administrators and those people that use Puppy as secured server, will find this information useful.
I must confess that I had to break root passwords in some Linux systems to gain access (because my Consultant/Administrator job of course). I have done it on Oracle Entrepise Linux (RedHat Linux ES), using grub´s boot options to obtain root access.
The steps are very ease to follow (could vary if you try a different distro), they are posted here for illustrative propose and show the need to secure systems in more than one way:
1. Get physical access to the machine (we still need to boot or reset that machine in someway) and hard power-down that machine.
Warning some information could be lost and a fschk must be run after gain access to that machine.
2. Power on the server and wait for the grub boot screen to appear. At the selection prompt choose the Linux installation and press the
e key to enter edit mode.
3. In the edit mode, grub screen will present a few lines of text (dependent on how grub.conf was edited). Then select the entry that start with "kernel" and press
e again, cursor should show up at the end of the "kernel" line.
4. Now type a space character followed by the word "single" (without the quotes). The entry would now be:
Code: Select all
kernel /boot/vmlinuz-2.6.9-34.EL ro root=/dev/hda1 single
If the system requires to enter a root password to log into single-user mode, then append init=/bin/bash after "single". Hit Enter to save the changes.
5. Now press
b to boot into Single User Mode. Wait the boot process to finish and you will be logged in as root.
Well, as root user you could change password (could use different ways or just command
passwd) and follow Lobster link to secure grub in that machine.
I could not advice about blocking the recovery mode entries, if some goes wrong and we lost root password we still need some way to recover that running system in a short time (recovery time is most valuable variable in a production machine).
A final though if someone has unrestricted physical access, security can´t be granted by any way, because there are other breaking ways, for example mounting Hard Disk on another system and editing the password file. Even a boot password using BIOS is just not enough, BIOS can be reset and any boot password will be lost.
clarf