single user mode password

How to Set Password for Single User Mode in Linux

Most Linux Systems allow you to boot in Single User Mode (also called Maintenance Mode) whereby only a few minimum number of device drivers and services are loaded during system boot to allow a single user (mostly superuser) to do trouble shooting or perform administrative tasks such as repairing corrupted filesystems. In single user mode, users are logged into a terminal shell without login where they can run commands to perform required tasks. This is a limited shell but has access to entire filesystem. As you can understand, this can be a possible security issue since it allows user to access the entire filesystem via shell, without any login credentials. Therefore it is essential to password protect single user mode and prevent unauthorized access. In this article, we will learn how to set password for single user mode in Linux.


How to Set Password for Single User Mode in Linux

In RHEL/CentOS, some parts of single user mode are password protected while the rest are not. For example, rescue and emergency targets are password protected. If you run the following commands to modify rescue or emergency targets, you will be asked for root password.

# systemctl isolate rescue.target
OR
# systemctl isolate emergency.target

However, if an unauthorized user has access to the server, they can select the kernel to boot from GRUB menu just by entering ‘e’ to edit the first boot option. By changing ro to “rw init=/sysroot/bin/sh” as shown in the screenshot below, user can boot into single user mode without requiring root password.

So it is important to add password to GRUB to protect the single user mode in RHEL/CentOS systems.

To do this, create a strong encrypted password using grub2-setpassword utility. When you enter the following command you will be asked for password for GRUB, twice.

# grub2-setpassword
Set Password for Single User Mode

The hash for password is stored at /boot/grub2/user.cfg and user is defined in /boot/grub2/grub.cfg. So you can view the password hash using the following command.

# cat /boot/grub2/user.cfg

Open /boot/grub2/grub.cfg file and search for the boot entry, which starts with menuentry. Once you have located it, remove –unrestricted parameter from it.

Save and close the file. Now reboot the system and try to modify the boot entries by entering ‘e’ key. You will be prompted for password.

In this article, we have learnt how to password protect single user mode in CentOS/RHEL by setting password for GRUB. It is important to password protect single user mode so that only authorized users can access it.

Also read:

How to Change Kernel Parameters At Runtime
How to Install Kernel Headers in RHEL/CentOS
How to Install Kernel Headers in Ubuntu & Debian
How to Migrate from GitHub to BitBucket
How to Transfer All MySQL Databases from One Server to Another

Leave a Reply

Your email address will not be published. Required fields are marked *